Lf Icaap Englisch Gesamt Tcm16-39190

G u i d e l i n e s on

Bank-Wide Risk ManagementInternal Capital Adequacy Assessment Process

These guidelines were prepared by the Oesterreichische Nationalbank

in cooperation with the Financial Market Authority

F M A

Quantification

Aggregation

Allocation

Monitoring

Identification

Published by:Oesterreichische Nationalbank (OeNB)Otto Wagner Platz 3, 1090 Vienna, Austria

Austrian Financial Market Authority (FMA)Praterstrasse 23, 1020 Vienna, Austria

Produced by:Oesterreichische Nationalbank

Editor in chief:Gu‹nther Thonabauer, Secretariat of the Governing Board and Public Relations (OeNB)Barbara No‹sslinger, Staff Department for Executive Board Affairs and Public Relations (FMA)

Editorial processing:Mario Oschischnig, Birgit Steiger (both OeNB)Ju‹rgen Bauer, Peter Lechner, Christine Siegl, Dagmar Urbanek, Radoslaw Zwizlo (all FMA)

Design:Peter Buchegger, Secretariat of the Governing Board and Public Relations (OeNB)

Typesetting, printing, and production:OeNB Printing Office

Published and produced at:Otto Wagner Platz 3, 1090 Vienna, Austria

Inquiries:Oesterreichische NationalbankSecretariat of the Governing Board and Public RelationsOtto Wagner Platz 3, 1090 Vienna, AustriaPostal address: PO Box 61, 1011 Vienna, AustriaPhone: (+43-1) 40 420-6666Fax: (+43-1) 40 420-6696

Orders:Oesterreichische NationalbankDocumentation Management and Communications ServicesOtto Wagner Platz 3, 1090 Vienna, AustriaPostal address: PO Box 61, 1011 Vienna, AustriaPhone: (+43-1) 40 420-6666Fax: (+43-1) 40 420-6696

Internet:http://www.oenb.athttp://www.fma.gv.at

Paper:Salzer Demeter, 100% woodpulp paper, bleached without chlorine, acid-free, without optical whiteners

DVR 0031577

The dynamic growth of financial markets and the increased use of complex bankproducts have brought about substantial changes in the business environmentfaced by credit institutions today. These challenges require functioning systemsfor the limitation and targeted control of each institution�s risk situation.

In addition to describing methods for calculating regulatory capital require-ments, the new regulatory capital framework (Basel II) also places increasedemphasis on risk management and integrated bank-wide management. Banksare required to employ suitable procedures and systems in order to ensure theircapital adequacy in the long term with due attention to all material risks. In theinternational discussion, the corresponding procedures are referred to collec-tively as the ICAAP (Internal Capital Adequacy Assessment Process).

These guidelines is designed to assist practitioners in the implementation ofan ICAAP. In this context, the selection and suitability of methods depends heav-ily on the complexity and scale of each individual institution�s business activities.In this guideline, these circumstances are emphasized specifically in line with theprinciple of proportionality.

The purpose of this publication is to develop mutual understanding betweensupervisory authorities and banks with regard to practical ICAAP implementa-tion. We sincerely hope that the ICAAP guideline provides practitioners as wellas the interested public with interesting and useful reading on this subject.

Vienna, February 2006

}

Josef ChristlMember of the Governing BoardOesterreichische Nationalbank

}

}

Kurt Pribil,Heinrich Traumu‹ller

FMA Executive Board

Preface

ICAAP Guidelines 3

1 Introduction 6

2 Basic Structure of the Internal Capital Adequacy AssessmentProcess (ICAAP) 72.1 Supervisory Background 7

2.1.1 ICAAP in the Basel II Capital Accord 72.1.2 Definitions 82.1.3 Supervisory Basis for Implementation in Austria 8

2.2 Motivation and Necessity from a Business Perspective 92.3 Basic ICAAP Requirements 10

3 General Framework 123.1 Principle of Proportionality 12

3.1.1 Indicators for Specifying Risk Structure 123.1.2 Application of the Proportionality Principle to the

Banking Market in Austria 163.2 Levels of Application within Groups 19

3.2.1 ICAAP at Various Levels within a Group 193.2.2 Possible Methods of ICAAP Implementation at the

Consolidated Level 223.3 Responsibility of the Credit Institution for the ICAAP 24

3.3.1 Responsibility of the Management 243.3.2 Outsourcing ICAAP Tasks 25

3.4 Documentation Requirements 25

4 ICAAP Components 284.1 Strategy for Ensuring Capital Adequacy 28

4.1.1 Risk Policy Principles 294.1.2 Risk Appetite 304.1.3 Actual and Target Risk Structure 314.1.4 Basic Structure of Risk Management 32

4.2 Assessment of All Material Risks 344.2.1 Classification of Risks 344.2.2 Credit Risks 37

4.2.2.1 Counterparty/Default Risk 374.2.2.2 Equity Risk (Participations) 424.2.2.3 Credit Risk Concentrations 43

4.2.3 Market Risks in the Trading Book, Foreign ExchangeRisks at the Overall Bank Level 46

4.2.4 Interest Rate Risks in the Banking Book 484.2.5 Liquidity Risks 494.2.6 Operational Risks 504.2.7 Other Risks 514.2.8 Defining Specific Assessment Procedures for All Material

Risks 524.2.9 Aggregation of Risks 53

4.2.9.1 Aggregation at Institution Level 534.2.9.2 Aggregation at Group Level 54

4.3 Definition of Internal Capital 564.3.1 Classification and Composition of Equity Capital Types 56

4.3.1.1 Balance Sheet Equity 564.3.1.2 Net Asset Value of Equity 56

Content

4 ICAAP Guidelines

4.3.1.3 Total Market Value of Equity 574.3.1.4 Regulatory Capital 57

4.3.2 Suitability of Equity Capital Types for Various HedgingObjectives 58

4.3.3 Classification of Risk Coverage Capital 594.4 Securing Risk-Bearing Capacity 61

4.4.1 Linking Potential Risks to Risk Coverage Capital 614.4.2 Risk Limitation as Economic Capital Budgeting 644.4.3 Using Stress Tests 67

4.5 Processes and Internal Control Mechanisms 674.5.1 Incorporating the ICAAP into Bank Management 67

4.5.1.1 ICAAP as a Dimension of StrategieManagement 67

4.5.1.2 ICAAP as a Dimension of OperationsManagement 68

4.5.2 The ICAAP Risk Management Process 684.5.2.1 Risk Identification 694.5.2.2 Quantifying Risks and Coverage Capital 694.5.2.3 Aggregation 694.5.2.4 Ex Ante Control 704.5.2.5 Risk Monitoring and Ex Post Control 714.5.2.6 Quality Assurance and Control Process 74

4.5.3 Risk Management Organization in the ICAAP 744.5.3.1 Structural Organization 744.5.3.2 Risk Control as a Separate Function in Risk

Management 754.5.4 Functions of the Internal Control System in the ICAAP 754.5.5 References to FMA Minimum Standards 77

5 ICAAP Implementation 795.1 Steps in the Implementation Process 795.2 Critical Success Factors in ICAAP Implementation 80

References 83List of Abbreviations 84

Content

ICAAP Guidelines 5

1 Introduction

The three-pillar model of Basel II places increased emphasis on risk managementin addition to providing guidelines for the calculation of capital requirements anddefining extended disclosure requirements. Banks are thus faced with the chal-lenge of developing internal procedures and systems in order to ensure that theypossess adequate capital resources in the long term with due attention to allmaterial risks. In the international discussion, these procedures are referredto collectively as the ICAAP (Internal Capital Adequacy Assessment Process).In developing its ICAAP, the bank is required to consider quantitative as wellas qualitative criteria such as the establishment of suitable processes.

Banks should be able to demonstrate that they have implemented the meth-ods and systems necessary in order to ensure their capital adequacy. For theirpart, the competent supervisory authorities are required to assess these proce-dures and to impose supervisory measures as necessary.

On the basis of supervisory requirements, this guideline explains possibleprocedures and methods to assist practitioners in the implementation of anICAAP. Although this guideline is intended for credit institutions and investmentfirms alike, the term �credit institution� (or simply �bank�) is used throughoutthe document for the sake of simplicity.

Internal Capital Adequacy Assessment Process

6 ICAAP Guidelines

2 Basic Structure of the Internal Capital AdequacyAssessment Process (ICAAP)

2.1 Supervisory Background

On November 15, 2005, the Basel Committee on Banking Supervision issuedthe revised framework of the Basel II capital accord of June 26, 2004. This pub-lication is a revision of the original capital accord finalized in 1988 (�Basel I�) andis intended to enable banks to assess the risks involved in lending more preciselyand to ensure more risk-sensitive capital requirements. The overarching goal ofthe new regulatory capital framework is to enhance the stability of the interna-tional financial system.

2.1.1 ICAAP in the Basel II Capital Accord

While the Basel I framework was confined to the minimum capital requirementsfor banks in order to ensure the stability of the financial system, the Basel IIaccord expands this approach to include two additional areas, namely the super-visory review process and increased disclosure requirements for banks. Accord-ing to Basel II, the stability of the financial market therefore rests on the follow-ing three pillars, which are designed to reinforce each other (cf. Chart 1: Three-Pillar Architecture of Basel II):

Pillar 1: Minimum Capital Requirements — a largely new, risk-adequate cal-culation of capital requirements which (for the first time) explicitly includesoperational risk in addition to market and credit risk.

Pillar 2: Supervisory Review Process (SRP) — the establishment of suitablerisk management systems in banks and their review by the supervisory authority.

Pillar 3: Market Discipline — increased transparency due to expanded disclo-sure requirements for banks.

Chart 1: Three-Pillar Architecture of Basel II

On the one hand, Pillar 2 (Supervisory Review Process) requires banks toimplement a process for assessing their capital adequacy in relation to their riskprofiles as well as a strategy for maintaining their capital levels — i.e. the InternalCapital Adequacy Assessment Process (ICAAP).


ICAAP Guidelines 7

On the other hand, Pillar 2 also requires the supervisory authorities to sub-ject all banks to an evaluation process and to impose any necessary supervisorymeasures on this basis.

The Basel Committee has defined the following four basic principles for thesupervisory review process:

Principle 1:Banks should have a process for assessing their overall capital adequacy in relation to their riskprofile and a strategy for maintaining their capital levels.

Principle 2:Supervisors should review and evaluate banks� internal capital adequacy assessments andstrategies, as well as their ability to monitor and ensure their compliance with regulatory capitalratios. Supervisors should take appropriate supervisory action if they are not satisfied with theresult of this process.

Principle 3:Supervisors should expect banks to operate above the minimum regulatory capital ratios andshould have the ability to require banks to hold capital in excess of the minimum.

Principle 4:Supervisors should seek to intervene at an early stage to prevent capital from falling below theminimum levels required to support the risk characteristics of a particular bank and shouldrequire rapid remedial action if capital is not maintained or restored.

2.1.2 Definitions

On the basis of supervisory sources, the components of Pillar 2 are defined moreprecisely below.

ICAAP — Internal Capital Adequacy Assessment Process

The ICAAP comprises all of a bank�s procedures and measures designed toensure the following:. the appropriate identification and measurement of risks;. an appropriate level of internal capital in relation to the bank�s risk profile;

and. the application and further development of suitable risk management systems.

SRP — Supervisory Review Process

The abbreviation SRP refers to the supervisory review process, which covers allof the processes and measures defined in the principles listed above. Essentially,these include the review and evaluation of the institution�s ICAAP, the perform-ance of an independent assessment of the institution�s risk profile, and if neces-sary taking prudential measures and other supervisory actions.

2.1.3 Supervisory Basis for Implementation in Austria

At the European level, the Basel Committee�s revised framework, which waspublished as a recommendation, is being incorporated into existing directivesin order to make the framework compulsory for credit institutions and invest-ment firms operating within the EU. The requirements of Basel II are in partreflected in the recast EU Directive 2000/12/EC, which will serve as the basis


8 ICAAP Guidelines

for implementation in national law.1 In Austria, the legal framework is defined bythe Austrian Banking Act (BWG) as well as the relevant FMA regulations.

With regard to Pillar 2, the following requirements of the recast EU Direc-tive 2000/12/EC are particularly relevant:. sound corporate management with a clear organizational structure and

responsibilities;. effective procedures for determining, controlling, monitoring and reporting

current and future risks as well as appropriate internal control mechanisms;. adequate rules, procedures and mechanisms with regard to the nature, scale

and complexity of the bank�s business activities;. comprehensive strategies and procedures for continuous evaluation and reg-

ular review of the amount, composition and distribution of internal capitalwhich is considered adequate to cover current risks and any future risks inboth quantitative and qualitative terms.

Moreover, the EU Directive 2000/12/EC sets forth the duties of supervisoryauthorities, calling for evaluations of the banks� internal processes and strategiesas well as their risk profiles.

In cases where the directive is violated, supervisory measures — which mayalso include requiring banks to hold additional capital — must be imposed.

The SRP requirements and supervisory requirements apply mutatis mutandisto the supervision of investment firms (cf. Article 37 of Directive 93/6/EEC onthe capital adequacy of investment firms and credit institutions).

In order to support the consistent implementation of Community directivesand to foster the convergence of supervisory practices in the European Union,the Committee of European Banking Supervisors (CEBS), which consists ofhigh-level EU representatives from the competent supervisory authorities, haspublished — amongst others — a guidance on the application of the supervisoryreview process under Pillar 2 of Basel II.

2.2 Motivation and Necessity from a Business Perspective

Risk is a significant aspect of business activities in a market economy. As risk tak-ing or transformation of risks constitutes a major characteristic of the bankingbusiness, it is especially important for banks to address risk management issues.The necessity from a business perspective has arisen from developments on thefinancial markets and the increasing complexity of the banking business. Thesecircumstances call for functioning systems which support the limitation and con-trol of the banks� risk situation.

Therefore, the implementation of an ICAAP is not rooted exclusively insupervisory considerations, rather it should be in the best interest of all stake-holders of an institution. The owners are inherently interested in the continuedexistence of the bank as they expect a reasonable return on their investment andwish to avoid capital losses. Furthermore, the bank�s employees, customers andlenders also have an interest in its survival. The individual interests of thesegroups do not have to be completely congruent; however, all parties shouldbe interested in ensuring that the institution does not take on risk positionswhich might endanger its continued existence. The main motive for introducing

1 EU Directive 93/6/EEC has also been adapted to reflect the new requirements under Basel II.


ICAAP Guidelines 9

the ICAAP can therefore be seen in ensuring a viable risk position by dealingwith risks in the appropriate manner. In particular, it is important to detectdevelopments which may endanger the institution as early as possible in orderto enable the bank to take suitable countermeasures. In this respect, introducingan ICAAP serves the interests of all the internal and external stakeholders of abank.

In this context, two problems arise: First, when calculating the bank�s risk-bearing capacity, it is necessary to determine the extent to which a bank canafford to take certain risks at all. For this purpose, the bank needs to ensure thatthe available risk coverage capital is sufficient at all times to cover the risks taken.In the second step, the bank must review the extent to which risks are worthassuming, that is, it is necessary to analyze the opportunities arising from risktaking (evaluation of the risk/return ratio).

The main objective of the ICAAP is to secure the institution�s risk-bearingcapacity. Comprehensive risk/return management follows as a second — anddesirable — step.

The ICAAP thus constitutes a comprehensive package which delivers signif-icant benefits from a business perspective.

2.3 Basic ICAAP Requirements

Based on supervisory requirements and the benefits from a business perspective,the basic requirements to be taken into account in the development of an ICAAPare outlined below. In this process, banks can also rely on existing systems, pro-cedures and processes.. Securing capital adequacy: Banks should define a risk strategy which con-

tains descriptions of its risk policy instruments and objectives. The explicitformulation of such a risk strategy aids in the early detection of deviationsfrom the planned course and in initiating the corresponding countermeas-ures in a timely manner. In general, forward-looking aspects with regardto potential risks as well as changes in business strategies should be taken intoaccount (forward-looking perspective).

. ICAAP as an internal management tool: The ICAAP should form an inte-gral part of the institution�s management and decision-making process.

. Obligation of banks / proportionality: Banks are generally required tomaintain an ICAAP if they fall within the scope of application under theEU Directive 2000/12/EC (cf. Chapter 3.2.1, ICAAP at Various Levelswithin a Group). This requirement applies to banks which conduct complexbusiness activities (involving a higher risk level in individual transactions) aswell as small regional banks which engage in less complex activities. In linewith the proportionality principle, this gives rise to different requirementsregarding the adequacy of systems and methods. In an assessment basedon risk indicators, each bank should determine the risks to which it isexposed and then make a general choice of implementation methods on thatbasis.

. Responsibility of the management: The overall responsibility for theICAAP is assigned to the institution�s management, which must ensure thatthe bank�s risk-bearing capacity is secured and that all material risks aremeasured and limited.


10 ICAAP Guidelines

. Assessment of all material risks: The ICAAP focuses on ensuring bank-spe-cific (�internal�) capital adequacy from a business perspective. For this pur-pose, all of a bank�s material risks must be assessed. Therefore, the focus islaid on those risks which are (or could be) significant for the individual bank.

. Processes and internal review procedures: Merely designing risk assess-ment and control methods is not sufficient to secure a bank�s risk-bearingcapacity. It is only in the implementation of appropriate processes andreviews that the ICAAP is actually brought to bear. This ensures that everyemployee knows which steps to take in various situations. For the sake ofimproving risk management on an ongoing basis, the development of anICAAP should be regarded not as a one-time project but as a continuousdevelopment process. In this way, input from ongoing experience can beused to develop simpler methods into a more complex system with enhancedcontrol functions.

In this guideline, we present methods and procedures for the actual implemen-tation of all the ICAAP elements mentioned above. The emphasis is mainlyplaced on pragmatic solutions which are also suitable for smaller, less complexinstitutions.


ICAAP Guidelines 11

3 General Framework

3.1 Principle of Proportionality

Banks are required to apply the ICAAP regardless of their size and complexity.However, the ICAAP�s specific design is determined according to the principleof proportionality. In this context, it is necessary to note that there is no gener-ally accepted definition of proportionality, rather, it is the bank�s responsibility toassess the adequacy of its ICAAP methods, systems and processes. This will pri-marily depend on the nature (i.e. risk level and complexity) and scale of thebank�s business activities. Smaller banks which mainly engage in low-risk trans-actions might be able to fulfill the requirements in an appropriate manner usingsimple methods based on ICAAP principles. For banks which conduct highlycomplex business activities or handle high transaction volumes, it may be neces-sary to employ more complex systems in order to meet the ICAAP require-ments.

The decision as to which systems are useful and appropriate in which areasfor each bank should be made on the basis of the bank�s specific risk structure.Based on indicators, the bank itself should identify the areas in which it shouldemploy more complex risk measurement and management methods as well asthe areas in which simpler methods would suffice.

3.1.1 Indicators for Specifying Risk Structure

The indicators described below for specifying a bank�s risk structure provideguidance for banks in determining which types of risk are more and whichare less significant.

These risk indicators are provided as suggestions and have been selected witha view to enabling a bank to carry out a self-assessment using simple methodsand/or supervisory reporting data. The more significant a risk is consideredon the basis of such risk indicators, the better the bank�s risk measurementand management procedures should be (in line with the principle of proportion-ality).

The institution�s management is responsible for assessing risk indicators.However, the management should also be able to justify this assessment vis-a‘-vis the supervisory authority. Each bank is responsible for defining risk manage-ment methods and systems which are appropriate to its own needs. At the sametime, the bank must not disregard any other applicable regulations. In particular,the requirements for IRB banks and banks which submit trading book reportsaccording to the CAD should be noted here. As a general rule for all banks,supervisory procedures must also be integrated into the bank�s internal riskmanagement.

At the overall bank level, for example, the following indicators might be usedfor an initial specification of the bank�s risk structure:. risk level of transactions;. complexity of transactions;. size of bank;. scale of business activities;. significance of new markets and new transactions (e.g. international business

lines and trading activities, expansive activities abroad).


12 ICAAP Guidelines

The bank�s assessment of its specific risk profile based on these overarching riskindicators should be further differentiated to reflect individual risk types. As aresult, a bank may have to use more or less sophisticated risk measurement pro-cedures for each type of risk. The bank�s assessment of risk indicators should alsobe reflected in its risk policies. This means, for example, that a bank which con-siders country risks to be immaterial will subsequently avoid taking on materialcountry risks, that is, the bank will keep activities such as proprietary transac-tions in foreign securities, interbank trading with international counterparties orloans to foreign borrowers to a minimum. Possible indicators for the most sig-nificant risk types are described below.

Credit Risk Indicators

The structure of the bank�s credit portfolio provides initial indications of its riskappetite. A large share of loans in a certain asset class (e.g. exposures to corpo-rates) may point to increased risk. In addition, the presence of complex financingtransactions such as specialized lending (project, object and commodities financeetc.) may also indicate a larger risk appetite. For a rough initial assessment, abank can use the asset classes defined in the EU Directive 2000/12/EC to exam-ine the distribution of its credit portfolio.2

A bank can use credit assessments (e.g. ratings) to measure the share of bor-rowers with poor creditworthiness in its portfolio; this provides an indication ofdefault risk. The amount of available collateral — and thus the unsecured volume— also plays a role in this context. The lower the unsecured volume is, the lowerthe risk generally is; this relationship is also reflected in future supervisory reg-ulations for calculating capital requirements. In this context, however, the typeand quality of collateral are decisive; this can be assessed by asking the followingquestions: To what extent is the retention or liquidation of the collateral legallyenforceable? How will the value of the collateral develop? Is there any correla-tion between the value of the collateral and the creditworthiness of the debtor?

A close inspection of the credit portfolio will provide further insights withregard to any existing concentration risks. In order to assess the size structureor granularity of its portfolio, the bank can also assess the size and number oflarge exposures (under Article27 BWG). The bank should also consider the dis-tribution of exposures among industries (e.g. construction business, transport,tourism, etc.) in assessing its risk situation. If a bank conducts extensive oper-ations abroad (share of foreign assets), it is appropriate to take a closer look at therisks associated with those activities as well (e.g. country and transfer risks). Theshare of foreign currency loans in a bank�s credit portfolio can also point to con-centration risks. If the share of foreign currency loans is very high, exchange ratefluctuations can have adverse effects on the credit quality of the borrowers. If theforeign currency loans are serviced using a repayment vehicle which is heavilyexposed to market risks, this indicates an additional source of risk which shouldbe monitored accordingly and controlled as necessary.

2 Cf. the segmentation requirements in the EU Directive 2000/12/EC or the descriptions in the OeNB/FMAGuidelines on Credit Risk Management, �Rating Models and Validation� and �Credit Approval Process and CreditRisk Management�.


ICAAP Guidelines 13

Equity Risk Indicators (Participations)

The share of equity investments in total assets or required capital can provide afirst indication of how significant a bank�s equity investments are. Another riskindicator can be found in the equity investments to be deducted from own fundsunder the Austrian Banking Act (BWG).3 If a considerable share of eligible cap-ital is already tied up in equity investments, then a bank should also be in a posi-tion to perform a well-founded assessment of the economic risks associated withthese investments.

The country of the investee companies also constitutes a risk indicator. Anequity investment abroad can harbor additional risks, for example due to a dif-ferent legal framework or other political influences. The industry and businessareas in which the investee companies operate can also be used for an initialassessment of the risk involved. The size structure of these investments is alsorelevant, with the main question being whether a bank holds a large numberof relatively small investments (i.e. a highly diversified portfolio) or whetherconcentration risks exist. The existence of unconditional letters of comfort,on the other hand, indicates a practically unlimited potential for loss. The liquid-ity of equity investments may also serve as a risk indicator: If equity investmentsare illiquid, it may not be possible for the bank to sell its share.

Market Risks in the Trading Book, Foreign Exchange Risks at the Overall Bank Level

One risk indicator in the trading book can be derived from the sizes and types oftrading portfolios as well as the resulting capital requirements. If supervisorylimits are exceeded, the relevant provisions of the Austrian Banking Act apply.Another indicator of trading risks is the organization and design of trading oper-ations. If traders are granted significant powers (own limits, risk capital) or ifparts of their remuneration are based on trading performance, this will generallyencourage riskier behavior.

A bank can determine its sensitivity to foreign exchange fluctuations on thebasis of its open foreign exchange positions and (in the broadest sense) openterm positions. The influence of foreign exchange fluctuations on the defaultprobability of borrowers was already discussed in the section on credit risk indi-cators above in connection with foreign currency loans.

Interest Rate Risks in the Banking Book

The results reported in interest rate risk statistics (part of regulatory reportingrequirements) constitute an essential indicator of the level of interest rate risk inthe banking book. In these reports, the effects of a 200 basis point interest rateshock on the present value (fair value balance sheet) of the bank are examined. Ifthis method demonstrates that material interest rate risks exist in the bankingbook, it is advisable to use more sophisticated risk measurement methods. Inparticular, a precise quantification of risks in terms of their effects on the incomestatement would appear useful.

Another risk indicator can be found in the bank�s proprietary transactionsboth on and off the balance sheet. In accordance with the proportionality prin-ciple, the corresponding requirements increase in line with the scale of deriva-

3 Article 23 paragraph 13 items 3 and 4 BWG.


14 ICAAP Guidelines

tives trading activities. Even in cases where a bank primarily uses derivatives tohedge other transactions or portfolios, the effectiveness of hedging transactions(i.e. hedge effectiveness) should be examined in order to avoid undesirable sideeffects. In the case of on-balance-sheet proprietary transactions, the need formore precise risk control grows along with the scale and complexity of the posi-tions held (e.g. alternative investments, structured bonds).

Liquidity Risk Indicators

Banks can assess the significance of liquidity risks by comparing liquid or easilyliquidated balance-sheet assets with short-term liabilities. For an initial assess-ment of liquidity risks, banks can rely on residual maturity statistics or liquidityas specified under Article 25 BWG. If, for example, short-term liabilitiesapproach the level of liquid or easily liquidated balance-sheet assets, this canpoint to a higher level of liquidity risk. When assessing the significance of liquid-ity risks, a bank must also address the question of whether it is also required toprovide liquidity for other banks in cases of need (e.g. as the central institution ina group). In such cases, liquidity management will also have to meet higherrequirements.

Operational Risk Indicators

Two important indicators of operational risk are the size and complexity of abank. As the number of employees, business partners, customers, branches, sys-tems and processes at a bank increases, its risk potential also tends to rise.

Another risk indicator in this category is process intensity, for example, thenumber of transactions and volumes handled in payments processing, loan proc-essing, securities operations and proprietary trading. Failures (e.g. due to over-loaded systems) can bring about severe economic losses in banks with high levelsof process intensity. The number of lawsuits filed against a bank can also serve asan indicator of operational risks. A large number of lawsuits suggests that thereare substantial sources of risk within the bank, such as inadequate system secur-ity or insufficient care in processes and control mechanisms.

In cases where business operations (e.g. the processing activities mentionedabove) are outsourced, the bank cannot automatically assume that operationalrisks have been eliminated completely. This is because a bank�s dependenceon an outsourcing service provider means that risks incurred by the latter canhave negative repercussions for the bank. Therefore, the content and qualityof the service level agreement as well as the quality (e.g. ISO certification)and creditworthiness of the outsourcing service provider can also serve as riskindicators in this context.

Indicators for Other Risks

Other risks which are not discussed explicitly in this guideline can also be sig-nificant for a bank. A definition of other risks can be found in Chapter 4.2,Assessment of all Material Risks. The category of other risks may also includerisks in addition to the ones mentioned in that chapter. As other risks are nota highly standardized category, banks are well advised to define their own indi-cators as a basis for assessing the significance of this risk category.


ICAAP Guidelines 15

3.1.2 Application of the Proportionality Principle to theBanking Market in Austria

Risk Indicator Levels on the Austrian Banking Market

The principle of proportionality accounts for the fact that different requirementswill be appropriate for banks which conduct business activities of low complex-ity and low risk levels as compared to large, internationally active banks withcomplex business structures. Using several risk types as examples, this chapterdiscusses how the proportionality principle might be applied to the Austrianbanking market.

Credit risk is the most important risk category for most Austrian banks, afact which is evidenced by the loss provisions in Austrian banks� income state-ments. A consistent classification of risks is therefore a first step toward enhanc-ing a bank�s internal risk management system. In institutions with more complexbusiness models, the various subtypes of credit risk will also be relevant.

A number of Austrian banks are characterized by high levels of internationalactivity.4 The separate measurement of country risks is all the more important incases where the country in question demonstrates a higher level of risk (lowerrating, political instability, etc.).

Concentration risks appear in various forms. For example, foreign currencyloans in Austria account for an average share of 20% of total assets, with signifi-cant differences appearing between the east and west of Austria. Furthermore,regional banks and banks which focus on certain professional groups may dependheavily on specific industries.

Securitization risk from the originator�s perspective (i.e. sale of risks usingsecuritization programs) affects only a few institutions in Austria. On the otherhand, investing in securitization programs (e.g. asset-backed securities) isbecoming increasingly popular. In addition to default risk, which can be capturedeffectively by means of an external rating, it may also be necessary to take addi-tional risks into account in this context (e.g. operational risks).

Compared to credit risks, market risks in the trading book play a less prom-inent role overall. On average, only 3-4% of required capital could be attributedto the trading book between 2002 and 2005. For relatively small-scale tradingactivities (e.g. with a strong focus on brokerage trading and manageable expo-sures in money market trading), the risk management system will not have tobe as sophisticated as in the case of intensive trading activities in various complexinstruments and markets.

As regards interest rate risk in the banking book, a number of banks in Aus-tria are evidently willing to take substantial risks in this area. If considerablepotential present value losses arise in the supervisory stress test scenario (200basis point interest rate shock), a more sophisticated risk measurement systemwould be more appropriate for the bank. In addition, numerous banks conductpredominantly floating-rate business (especially index-linked) and thus reportrelatively low figures in their interest rate risk statistics. Nevertheless, relativelyhigh P&L risk can result from an overhang of floating-rate items on one side of

4 Cf. Financial Stability Report.


16 ICAAP Guidelines

the balance sheet or from differing interest reset practices for floating-rate posi-tions; this risk should be managed accordingly.

In the banking book, other market risks may also be relevant in addition tointerest rate risk. In general, Austrian banks are fairly cautious about positions inindividual stocks in the banking book. However, banks should be particularlyaware of the risks of individual positions held in funds (e.g. equities, derivatives).For large derivatives portfolios, it should also be possible to value the positionsand depict their risk levels accurately. In this context, the risk calculations ofthird parties (e.g. investment fund management companies) can be used if theyare reliable and comprehensible.

The significance of operational risks must not be underestimated in Austriaeither. For example, disruptions or breakdowns in IT systems, or criminal actscommitted by people inside or outside the bank (robbery, fraud) can generatelosses for banks.

Based on an evaluation of indicators for each type of risk, the bank�s manage-ment can construct an overall risk profile for the bank. Using this assessment,the management can then determine the requirements which an adequate riskmanagement system must fulfill for the ICAAP as well as the risk types on whichthe bank may need to focus.

Risk Indicator Levels at Sample Institutions

This chapter presents several examples of how a bank�s risk indicators mightlook.

Chart 2: Possible Risk Indicator Levels

For Bank A, the risk types mentioned above would have little significanceunder the proportionality principle. The bank shows a low level of complexityand low risk levels. Besides, Bank A does not have any trading positions. For thepurpose of measuring its risks and calculating its internal capital needs, Bank Acould calculate its capital requirements using the Standardized Approach (or theBasic Indicator Approach in the case of operational risk).

In terms of its total assets and number of employees, Bank B is comparable toBank A, but Bank B�s transactions show a markedly higher risk level. In addition,concentration risks exist with regard to size classes (e.g. several relatively large


ICAAP Guidelines 17

loans to medium-sized businesses), borrowers in the same industry and foreigncurrency loans. In this bank, methods which go beyond the StandardizedApproach should be employed and/or adequate qualitative measures (monitor-ing/reporting) should be set. Furthermore, Bank B should pay more attention toconcentration risks, for example by adhering to suitable individual borrowerlimits based on creditworthiness or by implementing the FMA minimum stand-ards for foreign currency loans. In this example, using more advanced systemswould also be sensible in other areas, such as interest rate risk in the bankingbook.

Bank C shows high credit exposures to SMEs and has also granted a numberof relatively large loans. This results in a certain degree of concentration risk. Inaddition, the bank is exposed to relatively high interest rate risks. In fact, Bank Dhas large exposures to almost all risk types. The bank�s size and structure can bedescribed as complex, and country risks are also an issue. It would make sense touse more advanced techniques (e.g. a VaR model) for interest rate risk at BanksC and D; Bank D should also use a more sophisticated model for market risk.Due to the higher risk level and the existing complexity with regard to creditrisk, the bank should use adequate risk-sensitive techniques (e.g. based on theIRB approach or a credit portfolio model).

The individual institutions in this example have to define the scale and type ofrisk management system which is appropriate to their activities, with due atten-tion to applicable supervisory requirements. The choice of suitable risk meas-urement procedures to determine risks and internal capital needs plays a decisiverole in this context. Moreover, the proportionality concept also has effects onprocess and organizational design: Institutions which demonstrate a high levelof complexity or a large risk appetite have to fulfill more comprehensive require-ments.

Given the large number of small and very small banks in Austria, it may beuseful for institutions to cooperate in risk management (e.g. systems or IT), ashas been the case in some fields already. This type of cooperation includes sec-toral arrangements which enable risk measurement and risk reduction. How-ever, it is necessary to note that in any case the bank�s management still bearsthe ultimate responsibility for the ICAAP. In particular, this means that eventhe smallest banks will have to appoint an employee to analyze and evaluatethe information (reports, etc.) provided under outsourcing arrangements andto incorporate this information into the bank�s control procedures. Further-more, it is important to remember that the size of a bank is not the only decisivefactor in ICAAP requirements. Small institutions can also demonstrate a rela-tively large risk appetite due to the structure of their business activities, and thiswill require them to deploy more advanced risk management systems. However,it is equally possible that a larger bank in which a certain risk type is not signifi-cant (or only of limited significance) will only use the standard procedures forcalculating minimum capital requirements for that specific risk type in theICAAP.


18 ICAAP Guidelines

3.2 Levels of Application within Groups

3.2.1 ICAAP at Various Levels within a Group

In general, three different levels of application can be distinguished for ICAAPrequirements5 within a banking group:(1) individual institution level;(2) consolidated level;(3) subconsolidated level.

In these cases the provisions of the EU Directive 2000/12/EC depend on thestatus of the respective institution within the banking group, that is, the level ofICAAP application as well as the scope of consolidation for ICAAP fulfillmentmay change depending on whether the credit institution is a parent undertakingor a subsidiary. In the provisions regarding the ICAAP, a national perspective waschosen. Whether a given bank is treated as an individual institution or as a con-solidating (or consolidated) institution therefore depends on its status within therespective Member State.

The three charts below provide schematic diagrams of various configurationsfrom the Austrian perspective.

ad (1): Individual Institution LevelCredit institutions which are treated as individual institutions are required to ful-fill the obligations arising from the ICAAP provisions on an individual basis (cf.Chart 3: Fulfillment of ICAAP Requirements (Individual Basis)).The following are considered individual institutions:. �actual� individual institutions;. credit institutions excluded from the scope of consolidation;6

. credit institutions which are neither subordinate nor superordinate toanother institution at the domestic level.

Chart 3: Fulfillment of ICAAP Requirements (Individual Basis)

Credit institutions which are parent undertakings or subsidiaries in theMember State where they are authorized and supervised (i.e. Austria for thepurposes of this guideline) are exempt from the ICAAP requirements on an indi-vidual basis. This means that if a subordinate or superordinate credit or financial

5 The scope of ICAAP application (Article 123 of the EU Directive 2002/12/EC) is governed by Articles 68 to 73 ofthe Directive. These articles apply mutatis mutandis to investment firms (cf. Article 2 of the EU Directive 93/6/EEC [CAD]).

6 Cf. Article 73 of the EU Directive 2000/12/EC.


ICAAP Guidelines 19

institution exists within Austria, the ICAAP requirements no longer have to befulfilled at the level of the individual institution.

At this point, it is important to reiterate that the mere fact that a credit insti-tution is a parent or subsidiary institution from the group perspective (acrossnational borders) does not necessarily imply an exemption from ICAAP require-ments at the individual institution level. The sole deciding factor is whether theinstitution has subordinate or superordinate institutions within the Member Statewhere it is authorized and supervised.

ad (2): Consolidated LevelIf a bank has subordinate or superordinate institutions within Austria, it is gen-erally exempt from ICAAP requirements on an individual basis. In such cases,the national parent credit institution7 alone is responsible for fulfilling therequirements on the basis of its consolidated financial situation.

Chart 4: Fulfillment of ICAAP Requirements (Consolidated Level)

If the parent institution is a financial holding company, then that credit insti-tution which is controlled by the holding company and required to consolidateunder Articles 125 and 126 must fulfill the requirements on the basis of thefinancial holding company�s consolidated financial situation (cf. Chart 4: Fulfill-ment of ICAAP Requirements (Consolidated Level)).

The �top� credit institution in a Member State is thus required to fulfillICAAP obligations on the basis of its consolidated financial situation.8 On theother hand, for the fulfillment of ICAAP requirements on a consolidated basisit is of no consequence where the subsidiary is located. This means that evenif the subsidiary is incorporated abroad, the parent institution is still requiredto fulfill ICAAP requirements on the basis of its consolidated financial situation.The difference lies in the fact that the existence of a domestic subsidiary rendersthe parent institution exempt from fulfilling ICAAP requirements on an individ-ual basis. Therefore, it is again important to emphasize that the existence of aparent credit or financial institution only brings about an exemption (i.e. from

7 The Directive uses the term �parent credit institution in a Member State� (cf. definition in Article 4 item14 of theDirective) to denote parent institutions which are not subsidiaries of other credit institutions or financial holdingcompanies authorized or set up in the same Member State.

8 The form and extent of consolidation are defined in Article 133 of the EU Directive 2000/12/EC.


20 ICAAP Guidelines

ICAAP requirements on an individual basis) if that institution is authorized andsupervised within the same Member State.9

ad (3): Subconsolidated LevelFinally, subsidiary credit institutions (or their parent undertaking, where it is afinancial holding company) which have a credit/financial institution or assetmanagement company as a subsidiary in a third country (i.e. a country outsideof the EU) or hold a participation in such an undertaking have to implement anICAAP on a subconsolidated basis (cf. Chart 5: Fulfillment of ICAAP Require-ments (Subconsolidated Level)).

Chart 5: Fulfillment of ICAAP Requirements (Subconsolidated Level)

Therefore, subsidiary institutions are subject to the ICAAP requirementsonly in those cases where they have subsidiaries or hold a participation (if it isa credit/financial institution or asset management company) in a third country.10

In such cases, the subsidiary credit institution must fulfill the provisions of Arti-cle 123 for the subgroup, whereas the national parent institution (as describedunder item 2) has to fulfill them for all of its subordinate companies within thebanking group.

In summary, the following basic rules (from the Austrian perspective) can bestated regarding the levels of ICAAP application:. The treatment of a credit institution as a parent undertaking or a subsidiary

depends on its status within Austria.. A credit institution which is either a parent undertaking or a subsidiary in

Austria is exempt from the ICAAP requirements on an individual basis.. Credit institutions which have the status of a parent credit institution in Aus-

tria are required to fulfill the ICAAP requirements on the basis of their con-solidated financial situation.

. Subsidiary credit institutions in Austria are only subject to ICAAP require-ments (at the subconsolidated level) if they (or their parent financial holdingcompany) have a subsidiary (credit/financial institution, asset managementcompany) in a third country or hold a participation in such an undertaking.

9 For the sake of completing the example in chart 4 (left-hand side): A parent undertaking (if it is a credit institution) which is registered in another Member State and has no subordinate or superordinate national institutionsis required to fulfill ICAAP requirements on both an individual and a consolidated basis.

10 This also applies in those cases where a financial holding company is the parent of a subsidiary in a third country.


ICAAP Guidelines 21

The possible levels of ICAAP application can be illustrated using the following(simplified) example of a newly established bank:

Upon incorporation, the bank is considered an individual institution, mean-ing that no superordinate parent institution exists at this time. As a result, thebank is required to introduce sound, effective and comprehensive strategiesand procedures on its own in order to ensure internal capital adequacy. If thisbank is then taken over by a foreign bank, the situation of the Austrian bankremains unchanged with regard to the ICAAP (the original bank is still treatedas an individual institution within Austria). On the other hand, if the bank istaken over by an Austrian bank, the former is then exempted from ICAAPrequirements. The new parent institution is then responsible for fulfilling ICAAPrequirements on the basis of its consolidated financial situation and for integrat-ing its new subsidiary into its risk calculations.

If the original individual institution is not taken over but establishes a subsid-iary of its own in Austria, or if the individual institution takes over another bankin Austria, then the original institution must include the subsidiary in its capitaladequacy assessment and thus apply the ICAAP not on an individual basis but onthe basis of its consolidated financial situation (as a national parent credit insti-tution).

If one of the Austrian subsidiary credit institutions then founds another sub-sidiary (credit institution, financial institution, asset management company) in athird country or takes a sufficiently large stake in such an undertaking, then thisnew part of the group also has to be treated separately (subconsolidation). Therespective parent credit institution of the new non-EU subsidiary is then subjectto ICAAP requirements on a subconsolidated basis. This is the only case in whicha subsidiary credit institution in a Member State (Austria) is also subject toICAAP requirements.

3.2.2 Possible Methods of ICAAP Implementation at theConsolidated Level

The provisions regarding the ICAAP state that credit institutions should have inplace sound, effective and complete strategies and processes with which they cancontinually evaluate the amount of internal capital they deem appropriate tocover their risks and with which they can maintain this capital at a sufficientlyhigh level. As described in the previous chapter, the relevant national parentcredit institution is responsible for observing these requirements on a consoli-dated basis. As a result, the parent credit institution should be in a position toaggregate, assess and (where necessary) control the material risks of the individ-ual institutions belonging to the group; this also applies to the parent�s own risks.Two implementation methods — complete involvement and supplying risk infor-mation — can be used for the purpose of ensuring capital adequacy as well asorderly business organization in the overall group:


22 ICAAP Guidelines

Chart 6: Possible Methods of ICAAP Implementation at the Consolidated Level

The basic solution involves risk control based on reports submitted by sub-ordinate companies. In this method, the superordinate company has its subordi-nates report on their material risks in aggregate form on a predefined regularcycle. Here we can differentiate various levels of standardization: For example,a low level of standardization in the supply of risk information might be used inan initial stage of integration (e.g. in the case of newly acquired subsidiaries).However, superordinate institutions should make efforts to improve the levelof integration and standardization in reporting. It is therefore advisable to regarddata provision based on minimum standardization (or based on the methods andformats of the subordinate companies) as an initial, temporary solution. Such amethod should only be deployed over a longer period of time in cases wherelegal regulations do not allow full implementation of the appropriate standards.In a more advanced integration scenario, the superordinate institution will setdetailed and harmonized requirements for risk control procedures at subordi-nate institutions. In this way, it is easier to ensure that risk systems and risk eval-uation procedures are consistent with those of the superordinate company.

The direct involvement of subordinate companies in the parent�s risk man-agement process is the second, more comprehensive method of ensuring ade-quate risk capital at the group level. In this scenario, the risk-bearing positionsand transactions of the companies involved are incorporated into the parent�srisk monitoring and management. This procedure is also known as the �look-through� approach, and it allows very precise assessment and control of potentialrisk from the group perspective. Due to the increased effort involved in connect-ing the individual risk control systems of subordinate companies, applying thismethod is only realistic for more significant companies within the group. Forexample, it makes sense to apply the look-through approach in the case of specialagreements (e.g. letters of comfort) where the risk to the superordinate com-pany is not automatically limited to the book value or market value of the sub-ordinate company.

Against this backdrop, it may be useful to rank the relevant companiesaccording to their significance for the group�s risk position. Depending on eachcompany�s weight and the available intervention possibilities, the method usedcan be determined in the process of group-wide management. However, thesecontrol and monitoring methods do not have to be defined uniformly for all


ICAAP Guidelines 23

companies; they may be differentiated according to certain characteristics suchas risk types. For example, a company with a high level of credit risk might beincorporated into the superordinate company�s risk management process withregard to credit risk, but for market risk it might submit aggregate figures basedon predefined standards.

In addition to defining methods for the execution of group control, it is alsovery important to assign responsibilities for group-related requirements. Herethe following principles should be observed:

The management of the superordinate company is responsible for all essen-tial elements of the group�s risk management. The management can only fulfillthis responsibility if it is in a position to evaluate risks on a consolidated basis andto initiate the necessary control measures.

To this end, the processes and related tasks, competences and communica-tion channels in group-wide risk management must be defined clearly and coor-dinated (in terms of materiality for the group�s risk position, consolidationmethods, etc.).

3.3 Responsibility of the Credit Institution for the ICAAP

In general, every credit institution is required to implement an ICAAP withinthe scope of application discussed in Chapter 3.2, Levels of Application withinGroups.

Therefore, it is the duty of every credit institution to employ suitable mea-sures and processes in its ICAAP. In this context, credit institutions are free touse their own definitions and processes. However, they will be required to dem-onstrate to the supervisory authority that the ICAAP is both complete andappropriate for the risks arising from their business activities and environment.

The ICAAP not only has to be applied for supervisory purposes; rather, itshould be an integral part of risk management.

3.3.1 Responsibility of the Management

Due to the central importance of the ICAAP for bank management, the respon-sibility for its definition, design and ongoing development is assigned to seniormanagement. Under current legislation in Austria, the managers� responsibilityis set forth in Article 39 of the Austrian Banking Act.

In this context, the ICAAP should not be treated as an isolated process butincorporated into the credit institution�s strategic and operations management asa component of corporate management.

The parameters essential to the ICAAP are determined in the strategic man-agement process. Here the management has to define the cornerstones of itsICAAP, including the credit institution�s risk strategy and risk policy principles.In this process, it is also important to establish clear and transparent reportinglines and to define the corresponding responsibilities.

Within the framework of operations management, the ICAAP forms part ofongoing risk management, which refers to all activities aimed at systematicallyhandling risks within a credit institution. The general conditions set out in thebank�s risk strategy are operationalized in risk management. The steps necessaryin this process are discussed in Chapter 4.5.2, The ICAAP Risk ManagementProcess. The results and reports generated by the ICAAP should serve as a basis


24 ICAAP Guidelines

for management decisions and bank control. The management must make itsdecisions independently and on the basis of the information necessary for eval-uating all relevant factors.

Specifically, managers must perform the following tasks in the ICAAP:. definition of corporate objectives and risk strategies, definition of the bank�s

risk profile, and establishment of the corresponding procedures and pro-cesses, including documentation;

. definition of strategies and procedures for adherence to capital requirements(establishment of a limit system) and for risk-based capital allocation;

. dissemination of information on these strategies and procedures to theemployees concerned;

. establishment of a suitable internal control system, especially with regard tothe ICAAP (for more information, see Chapter 4.5.4, Functions of the Inter-nal Control System in the ICAAP);

. functional and organizational segregation of responsibilities, and manage-ment of conflicts of interest;

. ensuring that employees have the necessary qualifications;

. regular (at least annual) review of systems, procedures and processes, andadaptation as necessary.

3.3.2 Outsourcing ICAAP Tasks

Parts of the ICAAP can be outsourced to third parties. Outsourcing refers to theprovision of goods and services by parties outside the institution which is subjectto supervision; the provider may also be a credit or financial institution. Withregard to outsourcing, the following essential points must be observed:. The management�s responsibility for the ICAAP cannot be outsourced (i.e. it

remains unaffected by outsourcing);. It is necessary to ensure that the credit institution has or retains access to all

relevant information within the framework of the ICAAP;. Activities and functions which are outsourced are still subject to supervision

by the competent authority (FMA). Therefore, outsourcing must not presentany kind of obstacle to the FMA�s performance of its supervisory duties;

. Outsourcing agreements are to be concluded entirely in writing, unlessthere already is a regulation either by law or statute;

. It is also necessary to note that outsourcing activities can generate additionalrisks (especially operational risks). In order to minimize these risks, eitherthe division of tasks should be clearly defined (e.g. within sectoral structures)or the bank should conclude appropriate service level agreements (SLAs)with the outsourcing service provider.

Additional outsourcing-related considerations can be found in the ConsultationPaper on High Level Principles on Outsourcing (CP02) published by the Com-mittee of European Banking Supervisors (CEBS) in April 2004.

3.4 Documentation Requirements

The ICAAP has to be designed in a transparent and comprehensible manner. Thiswill not only aid employees in understanding, accepting and applying the definedprocedures, it will also make it easier for the bank to review the adequacy of itsmethods and rules regularly and to enhance them on an ongoing basis.


ICAAP Guidelines 25

For this reason, it is advisable to draw up formal written documentation(allowing for already existing forms of documentation and definitions that com-ply with the requirements) on all essential elements of the ICAAP.

In creating the required documentation, the bank should ensure that thedepth and scope of its explanations are tailored to the relevant target group.It is therefore sensible to use various levels of detail in the actual implementationof documentation requirements. For illustration purposes, a sample scenariowith three levels is described below (cf. also Chart 7: Fulfillment of Documen-tation Requirements).

At the top level, it is advisable to articulate the bank�s fundamental strategicattitude toward risk management. This will reflect the institution�s basic orien-tation and guide all ICAAP-related decisions. The bank�s basic strategic attitudecan be documented in the form of a risk strategy. The essential components ofsuch a strategy include risk policy principles, statements as to the bank�s riskappetite, a description of the bank�s fundamental orientation with regard to indi-vidual risk types, and comments on the future development of the bank�s busi-ness divisions. The risk strategy should be approved by the entire managementboard of the bank. Accordingly, a concise description with a high level of aggre-gation is recommended. As the bank�s risk strategy contains fundamental state-ments, it should cover a fairly long time horizon (for a detailed discussion of pos-sible contents, see Chapter 4.1, Strategy for Ensuring Capital Adequacy).

At the next level down, the bank should provide a more detailed explanationof the methods and instruments employed for risk control and management. Inpractice, such a document is frequently referred to as the bank�s risk manual.Essentially, the risk manual contains a description of the risk management pro-cess, definitions of all relevant risk types, explanations of evaluation, control andmonitoring procedures for risk positions (separate for each risk type), and a dis-cussion of the process of launching new products or entering new markets. Dueto the relatively high level of detail in this document, it may be helpful to assignprimary responsibility for the risk manual to the executive in charge of risk man-agement. In general, the depth of these explanations also implies that it will benecessary to revise at least certain parts of the document on a regular basis. Forthis reason, it is advisable to label the document�s sections with the last revisiondate as well as the name of the organizational unit responsible.

At the third level in our example, the bank should provide a summary ofother documentation on risk management. This might include specific workinstructions or manuals for certain IT applications. Accordingly, the documentsat the bottom level will tend to contain the highest level of detail and undergorevisions most frequently.

Ensuring that documentation is complete and up to date is a crucial task inthe creation and maintenance process. Moreover, banks should ensure that docu-ments are written and stored systematically and in a way which is comprehen-sible to competent third parties. Not all of a bank�s documentation will haveto be rewritten in the course of implementing the ICAAP requirements. Instead,the documentation can be based on existing guidelines and regulations. How-ever, documentation should be updated in line with any adaptations or exten-sions of internal risk management resulting from ICAAP implementation andsystematically reorganized as necessary.


26 ICAAP Guidelines

Chart 7: Fulfillment of Documentation Requirements

The scope and level of detail of documentation should be proportionate tothe size, complexity and risk levels of the specific institution. If, for example,an institution�s self-assessment shows that it is consistently exposed to low risk,this will be reflected in fairly lean documentation requirements.

Structured documentation contributes to the transparency of the institu-tion�s ICAAP and thus allows the management board to assess the design ofthe credit institution�s internal ICAAP more effectively. Moreover, both newand more experienced employees in the risk management field can derive theirwork instructions from the credit institution�s documentation. Furthermore,documentation also supports the internal audit unit in reviewing the institution�sICAAP. Finally, complete documentation of all significant processes and rules isalso invaluable for the purpose of demonstrating the adequacy of the institution�sICAAP vis-a‘-vis the supervisory authority.


ICAAP Guidelines 27

4 ICAAP Components

4.1 Strategy for Ensuring Capital Adequacy

In designing an ICAAP, the bank must address core issues and define general stra-tegic conditions for the organization based on its fundamental attitude towardrisk and risk management. The result of this process is the institution�s risk strat-egy,11 which should be documented in writing. The scope and level of detail ofthis strategy depend on the size, complexity and risk levels of the specific insti-tution, but a concise strategic outline should be preferred over an excessivelylong description.12 The chart below shows the basic relationships between thebank�s fundamental risk attitude and its risk strategy.

Chart 8: Relationships between Risk Strategy and Fundamental Risk Attitude

Every bank is characterized by a fundamental attitude toward risk and riskmanagement. This basic attitude manifests itself in the bank�s risk policy princi-ples, its risk appetite, its (current and planned) risk structure as well as the struc-ture and positioning of risk management within the institution. These elementsalready exist in every bank, for example in the existing risks on the bank�s books,in the existing organization or in the instruments used for risk management.Likewise, in many cases risk-related opinions and principles as well as the bank�srisk appetite are already in place. However, they are often not articulated explic-itly but �stored� in the minds of the relevant employees.

The purpose of explicitly formulating a risk strategy is to create a transparentand consensual general framework for the ICAAP and for internal risk manage-ment, thus securing the organization�s objectives in the long term. This does notmean defining abstract requirements which are remote from day-to-day opera-tions. Articulating the bank�s fundamental attitude toward risk prevents contra-

11 In this guideline, the terms �risk strategy� and �risk policy� are used synonymously.12 Cf. Chapter 3.4, Documentation Requirements.


28 ICAAP Guidelines

dictions, intransparency or personnel-related imbalances from arising in thebank�s handling of risks. The risk strategy must be approved by the managementand updated periodically (and at other times as necessary). The individual ele-ments of such a strategy are described below.

Example: Risk Strategy Elements in a New Strategic Business ProjectIf, for example, a bank wishes to expand into the field of commercial real estate financing, itsrisk strategy should define the internal risk management framework for this new project.For example, the possible occurrence of concentration risks in the field of commercial realestate financing should be incorporated into strategic considerations (e.g.: Is there a dangerof increased industry concentration? Will risk assessment results depend heavily on the realestate market?). Aspects such as securing the required know-how must also be taken into con-sideration in the bank�s risk strategy (e.g.: Does the bank already have sufficient know-how onreal estate valuation, or how can the bank gain this expertise?).The next central issue in the bank�s risk strategy is the amount of risk capital which should bemade available for the commercial real estate unit. The allocated risk capital can then be usedto set the corresponding limits (e.g. for specific regions, industries, individual transaction limits)for this line of business or its sub-units. In addition, a required return can be defined for the riskcapital allocated; this target may itself become the basis for strategic pricing considerations inthe new business unit. Finally, the new unit has to be integrated into the bank�s set of risk controlinstruments and its ongoing risk management process, so that risks and limits can be monitoredand any necessary control measures can be taken.In this way, the bank�s risk (sub-)strategy ensures from the outset that the implementation andcontrol of the new business project is consistent with the bank�s strategic risk objectives.The risk strategy for the commercial real estate financing unit thus defines the framework forinternal risk management and ensures that the implementation and details are consistent withstrategic objectives.

4.1.1 Risk Policy Principles

The bank�s risk strategy is based on its risk policy principles, which include allcentral rules of conduct for handling risks within the bank. These principlesform the basis for a maximum of uniformity in the employees� understandingof the bank�s risk management goals throughout the organization.

Risk policy principles must be defined by the management and should bereviewed regularly and adapted whenever necessary. The following examplesmight be included in a bank�s risk policy principles (in practice, these wouldbe replaced or supplemented with additional principles which suit the specificinstitution):. The management and all employees feel committed to the bank�s risk policy

principles and make their day-to-day decisions according to these guidelines.. The bank�s risk management is organized in such a way as to prevent conflicts

of interest among employees and organizational units.. With regard to material risk types (which in some cases may endanger the

bank�s existence), the bank aims to practice risk management at a level whichis at least on par with other institutions of similar structure and size (best-practice approach).

. In the case of an unclear risk situation or doubts with respect to methodol-ogy, the principle of prudence shall take precedence.


ICAAP Guidelines 29

. Risk management and the ICAAP are primarily based on the going concernobjective. Additional requirements — especially those of a supervisory nature— generally must be fulfilled by maintaining the appropriate cushions.

. In general, the institution focuses its exposures only on lines of business inwhich it possesses the expertise necessary to evaluate specific risks.

. The introduction of new business lines or products is generally preceded by asuitable analysis of business-specific risks.

If the risk policy principles are known throughout the bank, employees will beable to deduce which course of action complies with the principles in many spe-cific cases. If, for example, the company�s risk policy principles require adher-ence to the principle of prudence in all cases of doubt, many questions of inter-pretation in the implementation and realization of risk management systems canbe resolved without the need for extensive inquiries or coordination.13

In addition to the overall bank perspective, it is often helpful to establish cer-tain principles for specific risk types, for example in a credit risk policy, marketrisk policy or liquidity risk policy. In the case of credit risk, for example, thebank could stipulate that loans should not be granted to borrowers of poor creditquality on the basis of collateral alone, or that each individual transaction mustbe assigned a rating.

4.1.2 Risk Appetite

Apart from risk policy principles, the bank�s risk appetite is another influencingfactor in its fundamental risk attitude. Risk appetite is defined as the bank�s will-ingness to take on financial risks as quantified by the appropriate indicators (i.e.as a measure of the bank�s risk-seeking behavior). The definition of a suitable riskappetite is a basic operational prerequisite for the bank to set consistent risk lim-its.

In this context, the following factors (expressed here in general terms) mustbe observed:. How much risk can the bank take on (and especially: which supervisory con-

straints have to be observed)?. How much risk does the bank want to take on (and at what rate of return)?. How much capital is necessary to cover the specific risks involved (capital

planning)?14

The last point, capital planning, is one of the core tasks in the definition of abank�s risk appetite. The bank�s capital planning should clearly reflect its currentcapital needs, planned capital consumption, targeted future capital level given itsintended risk appetite, and rough plans for external and internal sources of cap-ital. The following aspects of capital planning should not be neglected:. Dependency of capital planning on stages in the business cycle (especially rel-

evant to credit risk);. International legislation: In capital planning for internationally active banks,

differences between national legal frameworks (e.g. tax law, contract law,etc.) must also be taken into account.

13 For example, this could play a role in handling correlations in risk aggregation or in the limitation of allocated riskcoverage capital to those components which will certainly be available even in cases of crisis.

14 Here the term �capital� is intentionally not specified, that is, the distinction between regulatory (own funds) andinternal capital is not yet drawn at this point.


30 ICAAP Guidelines

In this context, the management�s primary task is to strike a balance betweenthe interests of equity investors, lenders and supervisory authorities, whichdefine requirements for the minimum capital to be maintained. A targetedexternal rating and the (indirectly related) confidence level for loss probability(as specified by rating agencies) can also play an essential role here.

In the next step, the challenge is to transpose this risk appetite — defined atthe highest level of management — onto risk types and business lines (or opera-tional sub-units) in an appropriate manner. In this way, the bank can define itstarget risk structure and at the same time enable decentralized risk responsibilityand decision-making in individual lines of business or operational units.

4.1.3 Actual and Target Risk Structure

Based on the defined risk appetite, an overview of the bank�s actual risk structurecan provide a starting point for defining its target risk structure. The bank�sactual risk structure might include the current relative significance of variousrisk types at the overall bank level (credit risk, market risks in the trading book,interest rate risk in the banking book, etc.) and the distribution of risk concen-trations among individual risk types.

An analysis of the bank�s actual risk structure can point out areas whereimbalances between risk types exist or where changes are necessary due to otherrisk concentrations, and where the bank�s risk structure is difficult to change andthus requires a long-term development plan.

Therefore, the actual risk structure highlights a potential need for action andprovides a framework for the bank�s further development toward its target riskstructure.

The bank should base the future development of its risk structure on its plan-ned business structure and business strategy, as this is the only means of creatingthe necessary consistency between business and risk strategies. The significanceof a bank�s business structure becomes obvious when we compare institutionscharacterized by homogeneous business structures (e.g. specialized banks suchas vehicle financing or mobile telephone banks) with institutions that use heter-ogeneous business structures (e.g. large universal banks), as such comparisonspoint to relatively homogeneous or heterogeneous risk structures.

Therefore, the bank�s target risk structure is ultimately derived from itsdefined risk appetite and its target business structure. This makes it possibleto set the appropriate limits in the ensuing step.

The steps in developing a suitable risk policy — from defining the bank�s riskappetite as a primary determinant of risk strategy to setting the appropriate indi-vidual limits — can be summarized broadly as follows:1. Formulation of the bank�s overall risk appetite in the form of high-level prin-

ciples;2. Definition of limits (initially aggregated for the overall bank) on the basis of

the bank�s articulated risk appetite and its (possibly rough) target risk struc-ture;

3. Assignment of limits to individual risk categories and lines of business (oroperational sub-units);

4. Validation of the expected utilization of individual limits and additionalrequirements and the consistent adjustment of limits;


ICAAP Guidelines 31

5. Implementation of limits in actual operations.A detailed discussion of limit-setting can be found in Chapter 4.4.2, Risk

Limitation as Economic Capital Budgeting. At this point, it is important toensure that the considerations and motives underlying the bank�s risk structureand limits are adequately reflected in the risk strategy.

4.1.4 Basic Structure of Risk Management

The target risk structures and risk targets defined in a bank�s risk policy princi-ples (e.g. based on a best-practice approach) give rise to requirements for theactual design of risk management in the ICAAP. These objectives can affectthe process of risk management as well as its organization.15

The general requirements for efficient risk management are defined by thebank�s risk strategy and include the following:. structural and process organization;. distribution of responsibilities and reporting lines to be observed;. internal control mechanisms and internal auditing;. design of risk management and control processes;. adherence to legal requirements; and. recruiting and retaining key employees.In particular, articulated risk policy principles and risk targets will also enablethe bank to derive a methodological focus for ex post risk control in the riskmanagement process (cf. Chapter 4.5.2.5, Risk Monitoring and Ex Post Con-trol).

For example, with regard to credit risk the bank might employ the followingexamples of ex post risk control methods with differing levels of priority andintensity in order to reach its defined risk targets (here in the form of a targetcredit risk structure):. Risk avoidance: In lending operations, for example, the bank might consis-

tently reject credit exposures with poor creditworthiness on the basis ofrequired risk/return ratios or by defining risk-sensitive business focuses(products, markets, industries, etc.);

. Risk mitigation/limitation: In particular, the bank can demand collateraland/or apply CRM techniques and adhere to the defined credit risk limitsas derived above;

. Risk diversification: By diversifying its portfolio, the bank can hedge itsdependence on specific developments and thus reduce its risk. Should thebank�s portfolio fall below the desired degree of diversification, the bank willneed to take suitable measures, such as shifting risk away from individualexposures;

. Risk transfer: In the case of credit risk, for example, the bank can use guar-antees and credit derivatives (i.e. CRM techniques without the provision ofcollateral) and/or securitize its own exposures.

Not all methods have to be attributed the same level of importance at everybank. Rather, it is left to the discretion of the individual bank to focus on thosemethods which best suit its business strategy.

15 These two aspects are discussed in detail in Chapter 4.5.2, The ICAAP Risk Management Process, and Chapter4.5.3, Risk Management Organization in the ICAAP.


32 ICAAP Guidelines

Excursus: Assessing the Risk/Return RatioPrinciples of a Return-Oriented Risk PolicyRisk-taking is not an end in itself; rather it should always be assessed in relation to its potentialreturns. Under a return-oriented risk policy, risks should only be taken in cases where the appro-priate return can be generated, that is, where risks and opportunities are balanced in the trans-action. For this purpose, the risks involved in potential transactions are compared with theirpotential returns.While risk-bearing capacity analysis must be used to ensure that a bank can afford to cover anylosses which may be incurred, risk/return analysis is used to determine whether risk assumptionis worthwhile for the bank.The concept of risk-adjusted indicators can be especially helpful to senior management andemployees in evaluating the risk/return ratio for individual transactions, business lines andthe overall bank.

Risk-Adjusted Performance Indicators

RORAC (Return on Risk-Adjusted Capital), RAROC (Risk-Adjusted Return on Capital) andRARORAC (Risk-Adjusted Return on Risk-Adjusted Capital) as well as Economic Value Added(EVA) are the indicators most commonly used in risk-adjusted control. As these indicatorsare closely interrelated, only RORAC is described in detail here.RORAC places the income arising from a risky position in relation to the potential risks involved.In simplified terms, RORAC represents the ratio of net income to risk capital. Net income istaken to mean income minus refinancing costs, operating costs, and expected losses (e.g. inloans).16 Risk capital refers to the amount required to cover unexpected losses. Risk capitalcan either be calculated using a value at risk concept or using simplified methods (e.g. thosedescribed in this guideline).

RORAC ¼ Net incomeRisk capital

The ratio shows which potential risk positions yield the best risk/return profile in terms of theexpected return and the risk capital required (for a definition of capital types, see Chapter 4.3,Definition of Internal Capital).The basic idea of comparing risk and return can then be transposed onto the bank as a whole.This performance indicator can thus be applied to individual transactions as well as entire busi-ness lines. For example, the bank can compare the risk and return involved in granting loans tolarge customers of varying credit quality. Likewise, the bank might also compare corporate cus-tomer business to retail customer business in terms of risk and return. In general, it is the indi-vidual bank to decide on the appropriate control indicators for pricing.The benefits of calculating RORAC can be demonstrated using a simple example:Assume that an investor has EUR 1,000 to invest. The investment horizon is one year, afterwhich the investor will sell the position. Two investment options are available: Equity 1 andEquity 2. It is now necessary to compare these two alternatives.Equity 1 is expected to yield an annual return of 4% and Equity 2 an annual return of 10%. Thistranslates into expected income of EUR 40 (Equity 1) or EUR 100 (Equity 2).17

If only the expected return from these two investment alternatives is compared, then it imme-diately becomes clear that Equity 2 offers better prospects. From a purely return-oriented per-spective, the investor would decide to invest the EUR 1,000 in Equity 2.

16 In contrast to the calculation of RAROC and EVA, the cost of equity is not deducted from net income here.17 No costs are included in this calculation.


ICAAP Guidelines 33

However, this perspective does not account for the risk involved in each investment. Once theexpected income from each alternative is known, it is necessary to calculate the risk involved.Based on a one-year time horizon, the risk associated with Equity 1 is 2%, meaning that Equity1 would tie up EUR 20 in risk capital. For Equity 2, the risk comes to 20%, that is, the investor�sEUR 1,000 may only be worth EUR 800 after one year. Therefore, the investment would tie upEUR 200 in risk capital.Using the RORAC figures for Equity 1 and Equity 2, we can now assess the risk/return ratio ofeach investment. Here it becomes clear that although Equity 2 offers a higher potential return,its risk is disproportionately high. The RORAC for Equity 1 is markedly higher, meaning that therisk/return ratio is better in this investment.

RORAC of Equity 1 ¼ 4020¼ 200%

RORAC of Equity 2 ¼ 100200¼ 50%

As this example shows, risk-adjusted indicators offer a highly effective means of comparing var-ious investment alternatives. As a result, banks and investors have been using these indicatorsfor quite some time.18 For banks, this means that the RORAC concept shows sound potentialapplications in the management of proprietary holdings and trading activities.The risk/return ratio and its methodological deployment using risk-adjusted indicators is a use-ful and desirable form of integrated risk control and capital management. In the first step, how-ever, banks should regard the representation, assessment and maintenance of risk-bearingcapacity as a higher priority in the ICAAP.

4.2 Assessment of All Material Risks

An essential prerequisite for analyzing the risk-bearing capacity is to assess all ofa bank�s material risks and aggregate them into the bank�s overall risk position.The sections that follow describe useful procedures for this purpose. In thisprocess, we begin by classifying the various risk types. This covers the risk typesincluded in the calculation of minimum capital requirements (credit risk, marketrisk and operational risk) as well as those which are not accounted for completely(e.g. concentration risks) or at all (e.g. interest rate risk in the banking book,strategic risk) in that process. On this basis, we suggest various assessment meth-ods for each risk type in line with the proportionality principle. Finally, methodsof aggregating risk are also discussed.

4.2.1 Classification of Risks

In this guideline, the term risk is defined as the danger of an adverse deviation inthe actual result from an expected result. In formal terms, this interpretation ofrisk can be expressed as a probability distribution, with future results fluctuatingaround an expected level. The possibility of a positive deviation is referred to asan opportunity, while the reverse situation is understood as risk in the narrowersense.

Accordingly, attaining a defined target is not considered a risk, although thismay also be associated with negative financial effects. In order to make this pointclear, we can examine a bank�s lending business. Credit defaults obviously reducethe bank�s profits. However, if the bank has been able to derive an expected value

18 Investment funds are often evaluated on the basis of risk/return ratios, among other indicators. In this area, theSharpe Ratio is used frequently.


34 ICAAP Guidelines

from experience over time, defaulted loans in that exact amount do not have tobe considered risks; rather, they can be integrated directly into the ICAAP byway of pricing and the definition of coverage capital. The actual risk to the bankthus consists in the danger that the result will deviate negatively from theexpected value due to random fluctuations.

The purpose of assessing risks is to depict the significance and effects of riskstaken on the bank. In the first step, a bank can use risk indicators to assess whichof its risks are actually material. In the second step, the bank should quantify itsrisks wherever possible.19 Finally, the bank can calculate the internal capitalrequired to cover its risks.

In order to ensure that risks are consciously handled and systematically man-aged in line with the ICAAP, it is especially important to distinguish betweenrelevant risk categories. In this respect, this guideline relies on the risk classifi-cations specified by banking supervisors.20 The risk classification chosen is meantto assist the bank (cf. Chart 9: Classification of Risks) in assessing the areas whereit might be able to rely on supervisory risk measurement approaches (i.e. pre-defined methods of calculating minimum capital requirements) and where addi-tional risk measurement methods would be appropriate.

Credit risk refers to the negative consequences associated with defaults orthe non-fulfillment of concluded contracts in lending operations due to a dete-rioration in the counterparty�s credit quality. The category of credit risk can besubdivided into the specific risk types of counterparty risk, equity risk (partic-ipations), securitization risk and concentration risk. In addition, another type ofcredit risk exists: the residual risk resulting from the use of credit risk mitigationtechniques. This type of credit risk does not arise due to a deterioration of thecounterparty�s creditworthiness, but from an insufficient ability to realize thecollateral taken. This may result from the possibility that the legal mechanismby which the collateral was pledged or transferred does not guarantee thatthe bank has the right21 to liquidate or seize the collateral. Another possibilityis that the collateral will not turn out to be as valuable as expected.

Market risk generally refers to risks which result from price changes on themoney and capital markets. Therefore, this type of risk arises due to fluctuationsin market prices (e.g. share prices), exchange rates, interest rates and commod-ities prices. Accordingly, market risks are further classified as equity price risk,foreign exchange risk, interest rate risk and commodities risk.

As defined in the Austrian Banking Act (BWG), market risks include foreignexchange risk and risks in the trading book. In addition, interest rate risk in thebanking book is indicated as a separate category.22

Operational risk is defined as the risk of loss resulting from inadequate orfailed internal processes, people or systems, or from external events.23 This def-inition does not include strategic risk and reputation risk.19 Risk quantification typically measures the degree of risk, which is expressed as the product of the loss amount (in

monetary units) and its respective probability of occurrence.20 Similar classifications can be found in the EU Directive 2000/12/EC and in the CEBS �Guidelines on the Appli-

cation of the Supervisory Review Process under Pillar 2�.21 Legal risks are generally seen as a component of operational risk (cf. definition of operational risks). However,

those legal risks which arise from transactions intended to mitigate credit risk are defined explicitly as a subtypeof credit risk (residual risks arising from credit risk mitigation techniques).

22 From an economic standpoint, other market risks also exist in the banking book (e.g. equity price risk).23 This definition of operational risks can be found in the EU Directive 2000/12/EC, cf. Article 4 item 22.


ICAAP Guidelines 35

Liquidity risks can be categorized as term liquidity risk, withdrawal/callrisk, structural liquidity risk (funding liquidity risk) and market liquidity risk.Term liquidity risk refers to an unexpected prolongation of the capital commit-ment period in lending transactions. Withdrawal/call risk is the risk that morecredit lines will be drawn or more deposits withdrawn than expected. Thisbrings about the risk that the bank will no longer be able to meet its paymentobligations without constraints. Structural liquidity risk arises when the neces-sary funding transactions cannot be carried out (or only on less favorable terms).Market liquidity risk arises when positions can only be liquidated immediately ata discount.24

The category of other risks comprises those risk types for which no (or onlyrudimentary) quantification methods exist. In particular, strategic risk, reputa-tion risk, capital risk and earnings risk are placed in this category.

The chart below provides an overview of risk types:

Chart 9: Classification of Risks

In its specific ICAAP, a bank may also use a different categorization, but theinstitution should be able to demonstrate that its risk classification is appropriateto its situation and that all material risks are captured.

Several of the risk types presented here (e.g. market and credit risk) can bequantified relatively effectively, meaning that standards for the assessment ofthese risks have established themselves on the market. There are also risk types(e.g. operational risk) which can basically be quantified at present, but the meth-ods used for this purpose are still in the development or implementation stage atmany banks. Finally, there are also risk types for which no quantification meth-ods exist (yet), especially in the category of other risks.

Below we will discuss widely used risk measurement methods which bankscan use within the framework of the ICAAP. In line with the proportionalityprinciple, we begin by covering the simpler methods and explaining their appli-cation. In this context, we also rely on the standard methods of calculating mini-mum capital requirements. These methods may be sufficient for those bankswhose self-assessment indicates low levels of risk.

24 Due to their similarity, market liquidity risk and market risk are discussed together in this guideline.


36 ICAAP Guidelines

On the basis of the simpler methods, we also explain the cases in which itmay be useful for a bank to use more advanced risk measurement procedures.In addition, it is necessary to point out that — especially due to technical devel-opments — a number of pragmatic solutions beyond the supervisory (minimum)standards are available; these solutions enable banks to improve risk measure-ment substantially with reasonable effort. Thanks to the improved accuracy ofcontrol, the benefits of these more advanced solutions often offset the requiredimplementation costs even after a short time. However, it is ultimately theresponsibility of the individual bank to define suitable internal measurementmethods in line with its own risk assessment (see Chapter 3.1.1, Indicatorsfor Specifying Risk Structure). The sections below are intended to provide guid-ance in this area.

4.2.2 Credit Risks

In this chapter, we present methods of accounting for the following types ofcredit risk for ICAAP purposes:. Counterparty/default risk;. Equity risk (participation risk);. Credit risk concentrations (including, for example, large exposures, country

and transfer risk, industry risk and indirect credit risk concentrations arisingfrom credit risk mitigation techniques).

Credit risks resulting from transactions intended to reduce credit risk (alsoreferred to as residual risks arising from the use of credit risk mitigation tech-niques) are discussed along with counterparty or default risk due to the closelinks between these risk types.

Securitization risk can be regarded as yet another dimension of credit risk.Banks in which securitization programs reach a substantial level should refer tothe relevant FMA/OeNB guidelines publication.25

4.2.2.1 Counterparty/Default Risk

Various methods can be employed to assess counterparty or default risk in theICAAP. In the simplest case, the methodology of the Standardized Approach(as applied in the calculation of minimum capital requirements) can be usedto determine counterparty risk. In this method, risk weights are defined for cer-tain types of credit exposures primarily on the basis of credit assessments pro-vided by rating agencies. The default risk is then equated to the resulting capitalrequirements (cf. Chart 10: Calculating Credit Risk using the StandardizedApproach).

In the calculation of capital requirements, various credit risk mitigation tech-niques can be used in order to limit credit risk. Under the StandardizedApproach, these include financial collateral, certain forms of physical collateralas well as guarantees and credit derivatives.

In addition, other types of collateral can also be used for the purpose ofinternal control in the ICAAP. However, this requires that the bank can demon-strate that recognized collateral is actually valuable and that the bank has suitable

25 See the volume �Best Practices in Risk Management for Securitized Products� from the OeNB/FMA series ofguidelines on credit risk.


ICAAP Guidelines 37

strategies and methods of controlling and monitoring any residual risks. In thiscontext, it is necessary to ensure that agreements regarding the provision of col-lateral can be enforced legally, and that the borrower�s credit quality and thevalue of the collateral do not show significant positive correlations.26 Moreover,the collateral should be subjected to regular revaluation.

Chart 10: Calculating Credit Risk using the Standardized Approach

The requirements for risk-based application of the Standardized Approach27

are the availability of external ratings for the borrowers in the portfolio as well ascalculations of exposure at default (EAD). This may be a problem for those bankswhose borrower portfolio mainly consists of small and medium-sized enter-prises which do not have external ratings. In such cases, it is possible to use pre-defined risk weights for unrated exposures in the Standardized Approach, butthen the assigned risk weight is calculated exclusively on the basis of the assetclass and does not take account of the borrower�s actual creditworthiness. Bankswhich plan to use the Standardized Approach for ICAAP purposes should thus beaware that a more risk-adequate assessment of their credit risks will generallyonly be possible if external ratings are available for the bank�s credit portfolio.If no such ratings exist for a majority of the portfolio, then it will not be possibleto assess those exposures in a risk-based manner under the StandardizedApproach. In those cases, it is advisable to maintain additional capital cushionsdue to the omission of creditworthiness, which is an essential risk driver.

Another characteristic of the Standardized Approach is that it does not dif-ferentiate between expected and unexpected loss. Expected losses should be cal-culated as standard risk costs in the credit approval process. The actual creditrisk, which refers to a potential �surprise loss�, thus only comprises the unex-pected loss beyond the expected loss assumed in the calculation of standard riskcosts. In order to ensure that these data can be compared and aggregated withother risks (e.g. market risks), it is advisable to use unexpected loss as the uni-form basis for risk measurement.

26 For information on the general legal conditions for substantiating and enforcing credit collateral under the Aus-trian legal framework, please refer to the OeNB/FMA guideline on credit risk mitigation techniques.

27 That is, high-risk transactions also have to be supported with more capital than low-risk transactions in the ICAAP.


38 ICAAP Guidelines

Regardless of whether a distinction is drawn between expected and unex-pected loss, the most important decision criterion in selecting suitable risk quan-tification methods should be their risk orientation (i.e. increased risk requiresincreased capital).

The Internal Ratings Based (IRB) Approach in the EU Directive 2000/12/EC offers an assessment method which largely fulfills this requirement. In thisapproach, the unexpected loss of an exposure is calculated on the basis of abank�s internal ratings. The supervisory capital requirements per credit expo-sure are then determined according to the bank�s internal rating categories. Inthe IRB Approach, the following risk parameters have to be calculated for eachloan:28

. Probability of default (PD): This reflects the probability that a counterpartywill default within one year.

. Loss given default (LGD): This parameter indicates the amount of the lossexpressed as a percentage of the amount outstanding at the time when thecounterparty defaults. Collateral plays a crucial role in LGD estimation.

. Exposure at default (EAD): This refers to the credit amount outstanding atthe time of default.

. The effective maturity (M) of the exposure.

Chart 11: Calculating Credit Risk using the IRB Approach

One essential prerequisite for calculating unexpected loss is the availability ofdefault probabilities (PDs). As it is also possible to rely on predefined supervi-sory values for the other risk parameters (LGD, EAD, M), the bank�s internal

28 Cf. EU Directive 2000/12/EC, Article 4 items 25 and 27, Annex VII Part 3, and Part 2 Section 1.3.


ICAAP Guidelines 39

calculation of default probabilities constitutes the central indicator in calculatinga simple credit value at risk under the IRB Approach.

PDs are assigned to individual borrowers on the basis of the bank�s internalcredit assessments or ratings. Already under current Austrian Banking Act (cf.Article 39 BWG), due diligence obligations require institutions to classify thecreditworthiness of existing and potential counterparties. However, in manycases banks do not convert these credit assessments into one-year probabilitiesof default. For banks whose internal rating grades are not linked to PDs, theseprobabilities can still be calculated with reasonable effort. For this purpose, it isadvisable to map existing rating grades onto �master scales�, which assign a spe-cific probability of default to each rating. In this way, the default probabilitiesrequired under the IRB Approach can be determined on the basis of the assignedrating grades for all borrowers.

In the Standardized Approach, the exposure at default (EAD) is calculatedusing the balance sheet value of the exposure.29 In contrast to the StandardizedApproach, however, the IRB Approach uses the amount before value adjust-ments (i.e. the exposure amount before any specific loan loss provisions or par-tial write-offs).30

The effective maturity (M) of a loan can be calculated using predefinedsupervisory formulas based on the underlying transactions. On the other hand(and this method is especially recommended for smaller banks), it is also possibleto use predefined supervisory values (for most exposures, the predefined valueis 2.5 years).

Credit Risk Models Based on IRB Approaches (�IRB Models�)

Using the parameters mentioned above (PD, EAD, LGD, M), it is possible to usethe risk weight function31 prescribed by the supervisor to calculate unexpectedloss in the form of a simplified credit value at risk.32 The value at risk indicates aposition�s estimated value loss which will not be exceeded over a defined periodof time at a given confidence level. As this calculation can be performed using aformula with few input parameters, using the IRB calculation model as a basismay also be of interest to banks which do not use the IRB Approach in their cal-culation of capital requirements.

Therefore, the calculation of internal default probabilities is a basic prereq-uisite for applying the IRB model in internal risk management at every bank. Asregards the calculation of the other parameters, three subtypes of the IRBApproach can be differentiated for ICAAP purposes. The accuracy of the indi-vidual methods increases along with the use of internal estimates for the requiredrisk parameters.

29 For exceptions, see Annex VII Part 3 of the EU Directive 2000/12/EC.30 As risk is measured using unexpected loss, any value adjustments must be deducted from the risk cover as realized

losses. In this way, it is possible to ensure the consistent calculation of risks as well as risk cover. Cf. also Chapter4.3, Definition of Internal Capital.

31 In principle, multiple risk weight functions exist, depending on the class to which the credit exposure is assigned.For the sake of simplicity, a bank can reasonably confine itself to the risk weight function for corporates, sovereignsand banks for internal risk management (see the EU Directive 2000/12/EC, Annex VII Part 1 Section 1.1). In thiscase, the risk of all the bank�s exposures — regardless of which asset class they are assigned to — is calculated usingthis single function.

32 In the calculation of credit value at risk, a time period of one year and a confidence level of 99.9% are assumed.


40 ICAAP Guidelines

. Basic IRB model: Internal estimation of PD, use of predefined supervisoryvalues for other risk parameters;

. IRB model with simplified LGD estimation: Internal estimation of PD andLGD (without formal adherence to the minimum requirements for LGDestimation), use of predefined supervisory values for effective maturity;33

. Advanced IRB model: Internal estimation of all risk parameters with dueattention to minimum supervisory requirements.

Another input parameter in the calculation of credit risk under the IRBApproach is the expected loss given default (LGD). In contrast to the probabilityof default, this parameter is not based on an assessment of the counterparty buton the specific transaction. In this context, loss is defined as economic loss,meaning that the proceeds from collateral realization are also taken into account(minus the direct and indirect costs of realization).

The simplest method of calculating LGD is to use the supervisory values pre-defined for the Foundation IRB Approach. In contrast, the most advancedmethod involves internal LGD estimates based directly on the minimum super-visory requirements. However, as these internal LGD estimates involve consid-erable effort, simplified methods may also be used for ICAAP purposes. Forexample, the bank might base its estimates on the degree of collateralization.This method borrows from the formal estimation of LGD in the AdvancedIRB Approach. However, the main difference lies in the fact that this estimateis based not on data histories spanning many years with precisely calculated eco-nomic losses, but more pragmatically on the ratio of the outstanding exposureamount to the value of the available collateral. For the purpose of estimation,specific realization rates are assumed for individual collateral types. Althoughinternal LGD estimation methods for ICAAP purposes do not have to meetthe formal requirements of the Advanced IRB Approach, they should at leastbe based on reliable assumptions and reflect reality as accurately as possible.For example, auction proceeds from the recent past might be used for estimationpurposes.

Here it becomes clear that (with a few simplifications) it is possible toemploy a ratings-based approach to assessing credit risks for ICAAP purposeswith far less effort than the formal introduction of the IRB Approach to calcu-lating minimum capital requirements would require. In this way, it is possible tocreate the conditions necessary to calculate unexpected loss for credit risks in theform of credit value at risk. The calculations required for this purpose can evenbe carried out with simple spreadsheet programs.

The methods presented, which are based on the IRB Approach, rely on theassumption that the banks� credit portfolios show the highest possible degree ofdiversification and granularity. In practice, however, the credit portfolios atmany banks show concentrations in the form of high loan volumes to individualborrowers, groups of connected clients or industries (see also Chapter 4.2.2.3,Credit Risk Concentrations). As a result, using an IRB model can create a lack ofprecision in quantification and even lead to substantial underestimates of risk.For this reason, banks should control and limit concentration risks by meansof appropriate structural limits and borrower limits based on creditworthiness.

33 These explanations only refer to application within the framework of the ICAAP.


ICAAP Guidelines 41

Moreover, for the purposes of the institution�s specific ICAAP, credit portfoliomodels can provide a useful methodological basis for larger institutions with asubstantial share of credit risk in their overall risk structure. Due to the effortrequired for design and introduction, however, many smaller institutions willprobably have to view this method more as a desirable goal in the future devel-opment of their credit risk assessment procedures.

4.2.2.2 Equity Risk (Participations)

The supervisory Standardized Approach is the simplest measurement method inthe case of equity risks (participations) as well. Especially for equity investments,banks should generally review whether the existing risks should be consideredmaterial before choosing suitable methods of risk quantification. For this pur-pose, the bank can use the indicators mentioned in Chapter 3.1.1, Indicatorsfor Specifying Risk Structure. Assessing whether risks are material is highlyimportant because using the Standardized Approach can lead to vast underesti-mates or overestimates of risk due to the different characteristics of equityinvestments as a result of the undifferentiated treatment of equity investmentsin this approach. As a result, the Standardized Approach does not seem suitablefor assessing equity risks if the bank holds material equity risks in its portfolio.

Due to the heterogeneity of equity investments, if material risks exist it isadvisable to differentiate equity investments by type when selecting the appro-priate quantification methods. In this context, we differentiate between market-valued and �debt-like� equity investments.

For illiquid and/or debt-like equity investments, it is advisable to use meas-urement methods which are similar to those applied to credit risks. As in the caseof credit risk, banks can again apply the methods of the IRB Approach.34 Theeasiest approach is the simple risk weighting method, in which predefined riskweights are assigned to certain types of equity investments. These weights rangefrom 190% to 370%. In contrast to the Standardized Approach, this methodaccounts for the fact that as a rule equity investments are accompanied by higherrisks than conventional loans, but it does not constitute a truly risk-based assess-ment. Risk is calculated solely on the basis of the type of equity investment,meaning that credit quality is not taken into account.

In the PD/LGD method, default risk is basically calculated as in the generalIRB model: On the basis of the risk parameters PD, LGD, EAD35 and M, a pre-defined risk weighting function is used to calculate unexpected loss. The maindifference from the general IRB Approach lies in the fact that the risk parameters(PD and LGD) must not fall below certain limits. This accounts for the fact thatequity investments tend to show higher levels of risk. The advantage of the PD/LGD approach is its risk-adequate assessment on the basis of creditworthiness.Consequently, this approach is recommended for all institutions which hold sub-stantial debt-like equity investments in their portfolios.

34 See the EU Directive 2000/12/EC, Annex VII Part 1 Sections 1.3.1 and 1.3.2.35 Both the book value and the market value of the equity investment can generally be used as the assessment base for

ICAAP purposes. In this context, it is important to ensure that the definition of risk cover corresponds to thevaluation approach used. For example, hidden reserves from equity investments cannot be used to calculate riskcover if only book values are used in risk measurement.


42 ICAAP Guidelines

Like the IRB formula, the PD/LGD method can be deployed with relativelysimple tools (e.g. spreadsheet programs). Besides default probabilities, the onlyother prerequisite for using this method is access to the institution�s current listof equity investments as well as the accompanying valuation approaches (marketor book values).

For market-valued equity investments, risk measurement can be based onmarket risk calculation methods. This can be especially useful in the case ofexchange-traded equity investments (equities), equity funds, index funds and(equity) certificates, as these methods enable more risk-adequate assessments.36

For the sake of completeness, it is also necessary to mention risk quantificationfor market-valued equity investments using the IRB Approach based on internalmodels.37 However, this is a highly involved method which appears more suitablefor large banks.

4.2.2.3 Credit Risk Concentrations

Credit risk concentrations may involve large exposures to groups of connectedclients. These groups refer to companies which are legally or economically con-nected in such a way that a majority of the individual borrowers in the groupwould encounter repayment problems38 if a single one of them encounteredfinancial difficulties. At the same time, credit risk concentrations can alsoinclude significant exposures to groups of borrowers whose default probabilitiesdepend on the same factors (e.g. loans to customers whose financial strengthdepends on the same products or services, or loans to customers from the sameregion).

Credit risk concentrations can generate such large losses that the risk-bear-ing capacity and continued existence of the bank might be endangered. In thepast, bank insolvencies have often been attributed to the effects of credit riskconcentrations. Accordingly, this risk deserves increased attention.

Various forms of credit risk concentrations can be distinguished in this con-text. The most important ones are as follows:. Large exposures to individual clients or groups of connected clients:

The difficulty in assessing this form of credit risk concentration lies primarilyin identifying connected clients. It is not sufficient to consider only thosegroups which prepare consolidated balance sheets. Instead, the bank mustexamine its individual borrowers for economic dependencies. Mutual guar-antees, joint property or the same management can serve as signs that coun-terparties are connected to one another.

. Large exposures to clients of poor credit quality: This form of credit riskconcentration refers to concentrations in a bank�s lower rating grades. In theICAAP, banks should define the maximum risk they are willing and able totake on in each rating grade. In line with the principle of risk orientation (i.e.

36 A description of various market valuation methods can be found in Chapter 4.2.3, Market Risks in the TradingBook, Foreign Exchange Risks at the Overall Bank Level.

37 See the EU Directive 2000/12/EC, Annex VII Part 1 Section 1.3.3.38 In the worst case, all of the borrowers in the group would default.


ICAAP Guidelines 43

increased risk requires increased capital), correspondingly lower exposurelimits should be specified for the lower rating grades in particular. Even a�medium-sized� loan volume can create problems in these rating grades(cf. Chapter 4.4.2, Risk Limitation as Economic Capital Budgeting).

. Countries: In the case of country or transfer risk, the risk needs not neces-sarily arise from the counterparty�s actual default; rather, the danger is thatthe counterparty will not be able to meet its obligations because the relevantcentral bank does not make the required foreign exchange available. Countryrisk thus refers to the inability or unwillingness of a country to provide for-eign exchange for interest and principal payments. In addition to transferrisk, economic or political developments in a country can also have a directimpact on the borrowers� creditworthiness. As a result, increased lending toborrowers in a given country can lead to correspondingly high losses for theinstitution if country risks are realized.

. Industries: Industry risk refers to loans granted to customers whose cred-itworthiness depends on the same products or services.39 The risk connec-tions within an industry are less pronounced than in the case of a group ofconnected clients or a country, but a specific industry crisis can still bringabout a marked increase in default rates in that industry as well as dependentindustries.

. Risk arising from foreign currency loans and foreign currency loanswith repayment vehicles: This form of credit risk concentration is partic-ularly widespread in Austria.40 Foreign currency loans are granted to non-banks and are at least partly denominated in currencies other than the euro.Foreign currency loans with repayment vehicles are also granted to non-banks, and repayment is supported by one or more financial products inwhich the borrower�s payments serve to form capital which is later used(at least in part) to repay the loan (i.e. repayment vehicles). In this formof concentration, classic foreign exchange risk is borne by the customer.Therefore, the borrower�s ability to repay (creditworthiness) may be severelyimpaired by unfavorable developments in the exchange rate.41 If a bank holdslarge parts of its assets in the form of foreign currency loans, default ratesmay rise drastically in extreme cases.

. Indirect credit risk concentrations arising from credit risk mitigationtechniques: This risk refers to concentrations which mainly originate fromthe increased use of only one type of collateral at a given bank. Examples ofthis might include securing loans primarily with commercially used realestate or the use of a single guarantor for a majority of loans.

In the ICAAP, banks should introduce effective internal strategies, systems andreviews to identify, assess, control and monitor any substantial credit risk con-centrations. The basic idea in this context is that increasing loan diversificationwill serve to reduce such concentrations. In this context, banks can rely on two

39 Industry risk is especially challenging for banks because in many cases there are no clear delineations betweenindustries.

40 Cf. Chapter 4.5.5, References to FMA Minimum Standards.41 In certain cases, a foreign currency loan can also have a positive impact on creditworthiness, for example when the

borrower collects revenues in the same currency.


44 ICAAP Guidelines

possible methods of limiting credit risk concentrations: the strict limitation ofconcentration risks or limitation by way of increased monitoring (see Chapter4.4.2, Risk Limitation as Economic Capital Budgeting).

Chart 12: Overview of Possible Approaches to Assessing Credit Risks

Procedures to limit concentration risks are especially recommended forbanks which have no (or only insufficient) means of measuring concentrationsdue to the methods they use to assess credit risks. The methods actually usedshould be chosen according to the relevant type of concentration. A strict lim-itation42 of concentration risks is particularly suitable when the individual expo-sures in a group of similar exposures show high positive correlations with oneanother. For all other types of correlations (e.g. industries), increased monitor-ing can be used for limitation purposes.

42 In this context, the limit can be derived directly from the bank�s risk-bearing capacity, cf. Chapter 4.4, SecuringRisk-Bearing Capacity.


ICAAP Guidelines 45

4.2.3 Market Risks in the Trading Book, Foreign Exchange Risksat the Overall Bank Level

In line with the proportionality concept, an evolutionary process in risk meas-urement also emerges in the case of market risk in the trading book, foreignexchange risk at the overall bank level and interest rate risk in the banking book.This means that the higher a bank�s risk appetite and the more complex its riskstructure is, the more sophisticated its methods of risk measurement should be.

Chart 13: Overview of Assessment Methods for Market Risk in the Trading Book, Foreign ExchangeRisks at the Overall Bank Level, and Interest Rate Risks in the Banking Book

Market Risks in the Trading Book

For the purpose of measuring risk in the trading book, banks can use the stand-ard supervisory methods for calculating capital requirements. The advantage ofthis approach is that the figures are already available from the bank�s calculationof capital requirements. The disadvantage of the standard method is that thismeans of risk measurement only partly reflects economic risks. The largerand more complex a bank�s trading positions become, however, the less closelythe calculated capital requirements reflect the actual risk level. Especially inlarge, highly diversified portfolios and in the case of exotic derivatives or othercomplex products, economic risk can deviate markedly from the calculated cap-ital requirements. In such a case, the bank should make efforts to improve thequality of risk measurement in the ICAAP. This can usually be achieved usinga VaR model. However, we will first describe a pragmatic approach whichcan be regarded as a sort of precursor to the VaR model.

In the simplest solution, the bank can use historical data to derive volatilities(standard deviations) for a defined holding period and then rescale those volatil-ities to the desired confidence level. This will allow the bank to derive a prob-ability-based risk value. For example, the bank can derive the risk of a stock from


46 ICAAP Guidelines

its historical margin of fluctuation and scale the risk to a desired confidencelevel. A different method must be applied in the case of interest-bearing instru-ments. Based on classic valuation methods (sensitivity measures) such as modi-fied duration or PVBP (present value of a basis point), a bank can first calculatethe sensitivity of the position�s present value to changes in market interest rates.However, a statement as to the probability of the interest rate change is still miss-ing. The bank can make this estimate using a probability-based scenario derivedfrom historical market data (e.g. an interest rate increase of 100 basis points).

However, this pragmatic method is only suitable for relatively short holdingperiods or for a rough indication of risk. Sensitivity measures (e.g. modifiedduration) assume an immediate change in interest rates and disregard the effectsof the time horizon. For a rough estimate of risk, it is also possible to derive aprice volatility from an interest volatility.43

In order to ensure comprehensive, probability-based risk measurementacross all risk classes, it is advisable to use VaR models. The advantages of thesemodels include the ability to aggregate individual risks and the greater ease ofscalability (i.e. changes in the time horizon or confidence level). For banks whichhave a high risk profile with regard to the size and type of trading portfolios,using a VaR model is appropriate for internal risk measurement.

The most commonly used VaR methods are the variance-covarianceapproach, historical simulation and Monte Carlo simulation. The advantages,disadvantages and applicability of the individual models depend on the bank�sportfolio structure, among other factors. This requires special attention in theselection of a suitable model in cases where a bank holds relatively large quanti-ties of nonlinear derivatives (e.g. options) in its trading portfolio.44

In market risk measurement, any existing market liquidity risks should alsobe taken into account. Market liquidity risks arise when a position cannot be soldwithin a desired time period or only at a discount (market impact). This is espe-cially the case with securities/derivatives in illiquid markets, or when a bankholds such large positions that they cannot be sold easily. These market liquidityrisks can be accounted for by extending the holding period in risk measurements(e.g. the holding period for VaR) or by applying expected values derived fromexperience. In this context, a bank should follow the principles of prudentvaluation as specified in the EU Directive 93/6/EEC (Capital Adequacy Direc-tive).

Foreign Exchange Risks in the Banking Book and Trading Book

Foreign exchange risks arise for a bank when exposures or liabilities are acceptedin a foreign currency and are not offset by a corresponding position or derivativetransaction. In an initial step, this risk can also be calculated using the supervi-sory capital requirements under Article 26 BWG. In this context, it is advisable— in analogy to risks in the trading book — to use a probability-based risk meas-urement method (VaR model) if material foreign exchange risks are involved. Inorder to calculate a simple value at risk, the open foreign exchange position in

43 Cf. OeNB Guidelines on Market Risk, Volume 4: Provisions for Option Risks, Chapter 2.5.3.44 Cf. De Raaij and Raunig, A Comparison of Value at Risk Approaches and Their Implications for Regulators, OeNB

Focus on Austria 4/1998; and Steiner et al., Value-at-Risk-Scha‹tzung bei Optionen, p. 69 f.


ICAAP Guidelines 47

each currency can be multiplied by the annualized volatility. The appropriatescaling can be performed to attain the desired confidence level.

4.2.4 Interest Rate Risks in the Banking Book

Interest rate risks are generally the most significant category of market risks forbanks which do not maintain a trading book. Accordingly, the measurement ofinterest rate risks is very important for positions in the banking book. For thepurpose of integration into the ICAAP, risk calculations should be based on apresent value perspective. Guidelines for risk calculations from a present valueperspective have been published by the Basel Committee (among others).45 Con-sidering risks under commercial regulations (P&L risk) is also necessary and use-ful in assets and liabilities management as well as for budgeting purposes.

In order to calculate economic risk, banks which have not yet implementedmore advanced systems can also rely on the results reported in interest rate riskstatistics. The 200 basis point interest rate shift assumed in this context is anextreme scenario in interest rate developments. However, the advantage of usinginterest rate risk statistics lies in the fact that banks without their own systemscan use the results reported in interest rate risk statistics for the ICAAP withminimal additional effort. In the standard method, however, this merely pro-vides a rough estimate of interest rate risk. Interest rate risk statistics do notinclude the effects of inversions in the yield curve or basis risk, and they over-estimate the risks arising from linear positions (e.g. a fixed-income federal gov-ernment bond). Instead of the 200 basis point interest rate shock, however,banks can consider various other interest rate scenarios. The quality of riskmeasurement increases if the bank is also able to calculate the probability withwhich the assumed scenario (e.g. an interest rate increase of 200 basis points)will occur. However, such an approach still tends to depict present value riskinaccurately, as the shortening of the effective maturity during the scenario isnot taken into account.

The disadvantages mentioned above can largely be avoided by using a suitablevalue at risk approach. In such an approach, the present values of cash flows aris-ing from interest rate commitments are calculated for all interest-bearing instru-ments in the banking book (assets, liabilities, off-balance-sheet items). Thechange in present value is derived by simulating market scenarios and revaluatingthe positions. In this process, the holding period and confidence level can be setaccording to the institution�s requirements.

There are also other market risks in addition to interest rate risks in the bank-ing book. If these risks have not been captured elsewhere, for example in equityrisk measurements, then a market risk-based measurement should be per-formed. This may be appropriate for equities (cf. Chapter 4.2.2.2, Equity Risk),as risk measurements based on capital requirement calculations might be tooimprecise. In order to calculate a risk-based value nonetheless, in the case ofequities or index certificates it is possible to rely on historical volatilities (i.e.fluctuation margins, in analogy to the procedure described for risks in the trad-ing book). As an alternative, it is also possible to calculate the volatilities of mar-

45 Basel Committee on Banking Supervision (2004), Principles for the Management and Supervision of Interest RateRisk.


48 ICAAP Guidelines

ket indices only. In this context, the bank can use beta factors, which express therelationship between the index�s fluctuation margin and that of the respectiveequity. Ultimately, using VaR models is also the optimum solution for other mar-ket risks in the banking book for the ICAAP, as this approach enables sound com-parisons with other risk types.

4.2.5 Liquidity Risks

Liquidity risks can be categorized as term liquidity risk, withdrawal/call risk,structural liquidity risk (funding liquidity risks) and market liquidity risk. Asmarket liquidity risk was already discussed in connection with measuring marketrisk, this chapter will deal with methods of measuring the other types of liquidityrisk.

We will first describe term liquidity risk and withdrawal/call risk. A bankcan assess its liquidity situation by comparing its payment obligations to itsincoming payments. Liquidity risk can already arise due to a mismatch betweenincoming and outgoing payments. In addition, there may also be unexpecteddelays in repayments (term liquidity risk) or unexpectedly high payment out-flows (withdrawal/call risk).

Chart 14: Liquidity/Funding Matrix

It is important to measure the liquidation period for assets and consider plan-ned as well as potential outflows. With regard to the liquidity of assets and cap-ital commitment assumptions, predefined supervisory values can also beapplied. In the simplest case, banks can rely on the data reported for residualmaturity statistics for the purpose of measuring liquidity risks. In order to meas-ure and simulate liquidity risk, a bank can use its own assumptions and scenariosas long as these are appropriate and justifiable. The bank can assess its liquiditysituation by comparing the maturities of short-term accounts receivable andshort-term accounts payable (cf. Chart 14: Liquidity/Funding Matrix). Thebank must maintain sufficient liquid funds in order to ensure that appropriatecover is available for future imbalances between payment inflows and outflows.


ICAAP Guidelines 49

In the ICAAP, term liquidity risk and withdrawal/call risk do not necessarilyhave to be supported with internal capital. Instead, this risk can be limited bycalculating adequate indicators and taking process-related measures.

For the purpose of controlling liquidity risk, a bank should establish adequateinternal guidelines as well as administrative, accounting and review procedures.A credit institution can control liquidity risks by organizing its maturity struc-ture for receivables and payables as well as interest resetting and prepaymentoptions appropriately. In the case of a liquidity shortage, emergency plans whichenable effective and timely countermeasures should also be available. In the sim-plest case, a liquidity plan for a bank within a group or association might providefor support from the central institution. However, the central institution mustbe aware of its function as the provider of liquidity and thus also be able to assesshow much liquidity it can make available and what measures have to be taken if —in the worst-case scenario — multiple institutions require funds at the same time.The bank�s management bears responsibility for ensuring that liquidity manage-ment methods are organized properly.

Aside from risks in the short-term perspective, structural liquidity risk(funding liquidity risk) is also a factor. This type of liquidity risk refers to thefact that the cost of liquidity for the purpose of closing liquidity gaps can changeif refinancing becomes more expensive due to a decline in the bank�s creditwor-thiness. If the bank�s credit quality deteriorates, refinancing can become moreexpensive regardless of interest levels; this can be observed in the expansionof credit spreads on the money and capital markets. In such cases, a bank willhave to pay more for refinancing in the future due to the decline in its creditwor-thiness. Structural liquidity risk is calculated by assuming a rating migration46

and the resulting effects on credit spreads. The risk capital need results fromthe present-value cost difference between refinancing on current terms and refi-nancing after the simulated rating migration.

Structural liquidity risk is especially significant when a bank refinances to agreat extent on the money and capital markets, or with other banks (interbankmarket).

4.2.6 Operational Risks

A bank can use various methods to assess operational risks. In the ICAAP, theBasic Indicator Approach (for the calculation of minimum capital requirements)is the simplest method of quantifying operational risks. In this approach, a riskweight of 15% is applied to a single indicator, specifically the average grossincome (i.e. the sum of net interest income and net non-interest income) overthe last three years. The risk is equated to the resulting capital requirements.47

For banks, the advantage of applying the Basic Indicator Approach primarilylies in its simplicity. However, there is no immediate causal relationship betweena bank�s operational risks and its operating income. In order to come to a betterassessment of its own risk profile, a bank would be well advised not to rely on theBasic Indicator Approach alone to capture risks. For example, a more specific

46 In simplified terms, this means the following: If, for example, the probability that a bank�s rating will not fallbelow BBB is 99.9%, this migration can be used in the ICAAP.

47 For a precise definition, see Annex X Part 1 of the EU Directive 2000/12/EC.


50 ICAAP Guidelines

calculation of a bank�s risk situation can be performed by means of a systematicinternal survey of realized operational risks using a loss database.

Under the Standardized Approach, operational risk is also calculated exclu-sively on the basis of the risk indicator described above. However, in this case theindicator is not calculated for the bank as a whole, but individually for specificbusiness lines as defined by the supervisory authority (retail, corporate, trading,etc.). Accordingly, the Standardized Approach includes not only a risk weight of15%, but specific risk weights defined for each business line. This means thatapplying the Standardized Approach basically involves the same problems asapplying the Basic Indicator Approach. However, a number of process-relatedguidelines on limiting operational risks are provided as prerequisites for usingthe Standardized Approach to calculate capital requirements. In any case, theseare well suited for internal use for ICAAP purposes.

Finally, banks can also develop internal methods of quantifying operationalrisk (referred to as Advanced Measurement Approaches48). Such methods aredesirable because they aptly reflect the bank�s risk profile, but their designand implementation involve high levels of effort. For this reason, many banksshould view such methods more as a desirable goal in the future developmentof methods for evaluating operational risks.

In general, all banks should pay due attention to the guideline on managingoperational risk49 in their ICAAP, regardless of the approach used. The publica-tion contains guidelines and methods for the conscious handling of operationalrisks; this information is not only applicable to the calculation methods for cap-ital requirements but also to internal procedures related to the ICAAP. In par-ticular, the guideline presents suitable procedures by which the bank can reduceindividual operational risks using organizational security and review measures.

4.2.7 Other Risks

With regard to other risks, the supervisory authority only provides indications ofpossible risk subtypes without systematically classifying these risks. As a result,the banks themselves are responsible for classifying their specific risks in this cat-egory. In this regard, banks are required to analyze which types of other risks arerelevant to their operations by carrying out a self-assessment allowing for idio-syncratic circumstances (cf. Chapter 3.1, Principle of Proportionality). In thisassessment, institutions should at least consider the following potential formsof other risks and review their significance (materiality) within the institution:. Strategic risk: Strategic risk refers to negative effects on capital and earn-

ings due to business policy decisions, changes in the economic environment,deficient or insufficient implementation of decisions, or a failure to adapt tochanges in the economic environment.

. Reputation risk: Reputation risks refer to the potential adverse effectswhich can arise from bank�s reputation deviating negatively from its expected

48 The quantification models for operational risk using internal methods are currently in the development stage. Fora description of suitable models, see the OeNB/FMA guidelines �Operational Risk Management�.

49 Cf. OeNB/FMA 2005. In addition, many suggestions on the conscious handling of operational risks can be foundin �Sound Practices for the Management and Supervision of Operational Risk� published by the Basel Committeeon Banking Supervision.


ICAAP Guidelines 51

level. A bank�s reputation refers to its image in the eyes of the interested pub-lic (capital investors/lenders, employees, customers, etc.) with regard tocompetence, integrity and reliability.

. Capital risk: Capital risk results from an imbalanced internal capital struc-ture in relation to the nature and size of the bank, or from difficulties withraising additional risk coverage capital quickly if necessary.

. Earnings risk: Earnings risk arises due to the inadequate diversification of abank�s earnings structure or its inability to attain a sufficient and lasting levelof profitability.

Should banks come to the conclusion that any of the other risks listed are notpotentially material in their case, they should be able to justify this to the super-visory authority.

Banks can introduce procedures for the management of other risks in sepa-rate stages. Due to the lack of available quantitative measurement methods,other risks can also be measured and controlled by exclusively qualitative means.The bank should justify qualitative risk assessments for the various subtypes ofother risks and document these appropriately. Here it is helpful to draw up aset of rules for handling other risks.50 These rules should describe specific meth-ods and processes with which the bank can reduce the probability that other riskswill materialize. In addition, the bank should analyze the causes behind signifi-cant realized losses in order to develop effective countermeasures on the basis ofthese insights. In order to incorporate these risks into its risk management, thebank can maintain a capital cushion for other risks in its internal limit system; thesize of this cushion should correlate with the qualitative risk assessments.

If a bank has installed appropriate procedures to quantify several other risks,the thus calculated risk figures can replace the existing capital cushion and beintegrated into the bank�s internal limit system.

4.2.8 Defining Specific Assessment Procedures for All Material Risks

Based on the suggested methods of assessing risks, banks can define the way inwhich each relevant risk type is accounted for in the ICAAP. For this purpose,the bank should evaluate which risks must be integrated into risk-bearingcapacity analyses for the ICAAP and which risks are not material. In addition,it is necessary to decide on the assessment methods for all material risks (e.g.standard methods used in calculating minimum capital requirements, internalmethods, capital cushions). The bank should also formally document each ofthese decisions. A systematic risk categorization can be drawn up in the formof a table, for example. The Chart below shows an excerpt from a sample tablefor an institution�s specific incorporation of the relevant risk types in the ICAAP.

50 Cf. Chapter 4.1, Strategy for Ensuring Capital Adequacy.


52 ICAAP Guidelines

Chart 15: Sample Incorporation of an Institution�s Relevant Risk Types in the ICAAP

4.2.9 Aggregation of Risks

4.2.9.1 Aggregation at Institution Level

The discussion of banking risks up to this point has been confined to individualrisk types. However, overall bank risk is a combination of all the risk types whichare relevant to the individual bank. Therefore, the overall risk position of thebank has to be calculated by means of aggregation.

For banks which rely heavily on the basic methods of calculating minimumcapital requirements in their assessment of individual risk types, aggregationcan be performed by simply adding the risks calculated (including credit risks,market risks and operational risks). Other material risk types should then beaccounted for by establishing sufficient capital cushions, or the bank can demon-strate that the other risk types are not material. A further refinement of thismethod would be a separate assessment of additional material risk types. In thiscase, overall risk is calculated by adding the individual risks calculated for theminimum capital requirements and the other relevant risk types (assessed sep-arately). Both methods can also be used simultaneously: For certain risks (e.g.interest rate risk in the banking book), the degree of risk might be quantifiedmore precisely, while a general capital cushion is maintained for additional risks(e.g. other risks).

For the purpose of aggregating individual risk positions, it is advisable to usemeasurement methods which yield comparable assessment results for variousrisk types. One such method is value at risk (VaR). In this method, the main pre-requisite for meaningful aggregation is that the same probability (or the sameconfidence level) and the same holding period are assumed in the measurementof each risk type. For ICAAP purposes, for example, — especially for the case ofliquidation51 — a VaR-compliant calculation of the overall bank�s risk based on a

51 For more information on the various hedging objectives, see also Chapter 4.3.2, Suitability of Equity CapitalTypes for Various Hedging Objectives.


ICAAP Guidelines 53

one-year risk horizon52 and a confidence level of 99.9% seems appropriate, asthis holding period and probability are also assumed for credit risks under theIRB Approach. In any case, the chosen time horizon and confidence level shouldbe plausibly justified vis-a«-vis the supervisory authority by the credit institution.

Banks which are able to calculate a VaR for credit and market risks but do nothave a sufficient data set to calculate VaR for operational risks can use a simplifiedapproach in which they determine operational risks using the Basic IndicatorApproach or the Standardized Approach and then substitute the resulting riskwith a VaR based on a 99.9% confidence level and a one-year holding period(consistent with the confidence level and holding period for credit risk measure-ment under the EU Directive 2000/12/EC). In practice, VaR methods or suit-able heuristics are only difficult to find for the category of other risks. For thisreason, capital cushions for other risks should also be included when the VaRconcept is applied.

Any interdependencies or correlations between the risk types should beaccounted for in the aggregation of VaR values for individual risk categories intoa VaR for the overall bank. In line with the principle of prudence, it is advisableto assume a completely positive correlation at first, that is, to add up the indi-vidual risk types. This leads to a conservative aggregation of risks, which has tobe chosen if there is no well-founded evidence to support a different level of cor-relation. Due to diversification effects, values which deviate from a completelypositive correlation will reduce the resulting overall bank risk. Banks which planto apply lower correlation coefficients should be able to demonstrate that thelower values are appropriate, given the composition of the bank�s own portfolio.For example, the use of lower correlations based only on the development ofworldwide credit spreads and general interest rates will not be sufficient. Evenif the required evidence is available, it is always appropriate to perform addi-tional scenario analyses in the form of stress tests which assume a completelypositive correlation. In principle, the correct application of more complex pro-cedures is permissible (e.g. copulas).53

4.2.9.2 Aggregation at Group Level

In Chapter 3.2, Levels of Application within Groups of Institutions, we alreadymentioned that banks may also be required to apply the ICAAP at the subcon-solidated or consolidated level. In such cases, the institution responsible for con-solidation should be in a position to aggregate, assess and (as necessary) controlthe material risks of all companies which have an impact on risk in the group —including its own risks.

ICAAP requirements are to be fulfilled at the consolidated or subconsoli-dated level on the basis of the regulatory scope of consolidation (Article 30BWG), the definition of which, however, primarily relies on the place of incor-poration and the focus of activities of the relevant companies. The risk profile of

52 Even for risk types to which shorter holding periods are applied in the assessment process (such as market riskunder Article 26 (b) BWG), it makes sense to adapt figures to a one-year horizon (cf. Chapter 4.4.1, LinkingPotential Risks to Risk Coverage Capital).

53 As a replacement for simple correlations in the statistical evaluation of affiliation effects between risk types, theconcept of copulas has also been under development for several years; this method enables more precise modelingof the dependencies between risk types, but it also requires more intensive technical effort.


54 ICAAP Guidelines

the individual companies, on the other hand, does not play a role in determiningthe regulatory scope of consolidation.

In order to ensure that all material risks are taken into account at group level,it may be useful to expand the regulatory scope of consolidation to include aneconomic perspective. Starting with the companies included in the regulatoryscope of consolidation, the perspective is broadened to encompass those com-panies which make a significant contribution to the overall economic risk ofthe group. Every company which generates material risks from the group�s per-spective should be included in the calculation of the group�s overall risk position.This can even mean that it may be reasonable to integrate risks originating incompanies with which the group has no capital or management interrelation-ships relevant to consolidation. On the basis of business relationships alone, acompany might be considered to have an impact on the overall risk positionof the group. One example of such a situation is the integration of an indepen-dent outsourcing provider into the calculation of operational risk at the grouplevel.

The bank�s internal evaluation of the relevant companies� risk profiles canthus make it necessary to add companies to the regulatory scope of consolida-tion. For internal risk management purposes, it is important that no materialrisks are disregarded only because a relevant company is not included in the reg-ulatory scope of consolidation.

As regards the actual aggregation of risks at the group level, the samerequirements apply as in the merging of all relevant risks at the individual insti-tution level. Accordingly, the methodological recommendations mentioned foraggregation at the individual institution level — i.e. assuming conservative cor-relations as well as defining uniform confidence levels and holding periods — alsoapply to the group level.

Chart 16: Aggregation of All Material Risks


ICAAP Guidelines 55

4.3 Definition of Internal Capital

4.3.1 Classification and Composition of Equity Capital TypesOnce all material risks have been evaluated and aggregated to yield the overallbank�s risk position, the question arises as to what amounts and what types ofrisk coverage capital are available. In this context, the EU Directive 2000/12/EC explicitly mentions the assessment of internal capital. In this chapter,we first define specific types of equity capital. Essentially, we can distinguishbetween balance sheet equity, market value- and net asset value-based equity,and regulatory capital. We then discuss the uses and suitability of these capitaldefinitions in relation to the relevant hedging objectives. On that basis, wedescribe a procedure by which banks can quantify and classify risk coveragecapital.

4.3.1.1 Balance Sheet Equity

Balance sheet equity corresponds to the (nominal) equivalent value of capitalinvested in the bank by its owners (shareholders, cooperative members, associ-ations). Balance sheet equity is thus equal to the book value of equity.

According to the Austrian Banking Act (BWG), the book value of equitycomprises the following positions (in simplified terms):

Chart 17: Composition of Balance Sheet Equity

Retained earnings increase balance sheet equity, while earnings distribu-tions, capital repayments and losses bring about a reduction.

Balance sheet equity depends on the accounting policies used by the respec-tive bank. The provisions of the Austrian Commercial Code (HGB) and IAS/IFRS are especially relevant in this context. The valuation requirements underIAS/IFRS, which focus heavily on the valuation of assets at their market values(see, for example, the requirements for the valuation of financial instrumentsunder IAS 39), also have an effect on equity accounting.

Especially as it neglects hidden reserves, balance sheet equity only provides arough picture of the coverage capital actually available. This problem is onlypartly offset by the use of IAS/IFRS standards.

4.3.1.2 Net Asset Value of Equity

The net asset value of equity equals the book value of equity plus hiddenreserves. Assets (e.g. securities) are valuated at their market values. This calcu-lation only includes transactions for which agreements have already been con-cluded, that is, valuation does not include business which is yet to be acquired.

If market values are not available for individual positions, then it is necessaryto use valuation methods (e.g. by discounting cash flows) or to obtain expertvaluation reports (e.g. for real estate) in order to calculate market values. Spe-


56 ICAAP Guidelines

cifically, this may be necessary in the case of illiquid or non-exchange-tradedsecurities, equity investments and receivables from customer transactions. Innet asset value calculations, all value-reducing factors which might arise in thereversal of hidden reserves have to be deducted (realization risk). For example,in customer transactions all (present-value) costs — operating costs, risk costs forrisky transactions, costs of equity — have to be deducted from the calculatedpresent value of payments (principal and interest) in order to obtain a sustainablenet asset value.

The net asset value provides a suitable indicator for use in a bank�s internalrisk management. On the one hand, this method also accounts for the bank�shidden reserves, and on the other hand it offers a conservative assessmentbecause the measurement of risk cover is based exclusively on the sustainableassets of the bank.

4.3.1.3 Total Market Value of Equity

In contrast to the net asset value, the total market value of equity is calculatedwith attention to the bank�s expected future performance. Future performancecan be incorporated using projected earnings for the current business year, orthe value added by transactions to be concluded in the future in the form of pro-jected earnings (goodwill). In the case of exchange-listed banks, the total marketvalue of equity is equal to market capitalization (shareholder value). For unlistedinstitutions, the total market value of equity can be calculated using internalmethods (e.g. valuation of projected earnings using the present value method).The problem with using the total market value approach to determine risk cov-erage capital is that the current total market value will hardly be sustainable ifrisks materialize.

4.3.1.4 Regulatory Capital

The concept of regulatory capital distinguishes the available risk coverage capitalby quality. According to Article23 BWG, the following capital components canbe distinguished:. Core capital (tier 1 capital);. Tier 2 capital, especially supplementary capital and long-term subordinated

capital; and,. Short-term subordinated capital (tier 3 capital).Core capital is distinguished by the fact that its components are available immedi-ately without limitations and for an indefinite period of time. In general, core cap-ital equals the book value of equity. Compared to core capital, supplementary cap-ital is of lowerquality, forexample because it is only subordinated or must be repaidin the long term. Short-term subordinated capital (tier 3 capital) consists of certainshort-term subordinated liabilities with an original maturity of more than twoyears. The total of these components equals the bank�s own funds in the amountrecognized under Article23BWG. These funds serve to fulfill the requirementsset forth in Article 22BWG. In the course of implementing the new regulationson capital requirements (EU Directive 2000/12/EC), the essential characteristicsof own funds will largely remain unchanged. Supervisory provisions require banksto examine these capital resources within the ICAAP framework (allowing for the8% own funds requirements in capital planning).


ICAAP Guidelines 57

Chart 18: Categorization of Equity Capital

4.3.2 Suitability of Equity Capital Types for Various Hedging Objectives

The suitability of each capital type for use in the ICAAP depends heavily on thebank�s hedging objectives. In this context, the following general objectives canbe distinguished (cf. Chart 19: Overview of Hedging Objectives for Risk-Bear-ing Capacity).

In the going concern perspective the bank can define individually what theterm �going concern� means. Typically, a zero result or even the consumptionof an unneeded share of uncommitted equity is considered acceptable for a goingconcern. In this context, the minimum regulatory capital requirement must beregarded as the absolute bottom limit for the going concern objective. In addi-tion, it is advisable to set up an early warning level in the assessment of an insti-tution�s risk-bearing capacity; this level is reached before the bank�s operation asa going concern is endangered.

The hedging objective at the early warning level is to ensure that relativelysmall risks which are highly likely to materialize can be absorbed withoutrequiring changes in the nature and scale of the bank�s business activities or inits risk strategy. The early warning level can be defined individually by eachbank, but it will depend heavily on the bank�s ability to access risk coveragecapital quickly and inconspicuously (i.e. without attracting excessive publicattention). Liquid or easily liquidated risk coverage capital is available forthe purpose of covering such risks. Reaching the early warning level couldprompt the bank to rethink its risk appetite and to take initial remedialactions. A bank can implement such an early warning system using a �trafficlights� model. The light remains green as long as the early warning level isnot reached. If, for example, 80% of the going concern level is reached, the earlywarning level is triggered (yellow). If the light turns red, the going concern is injeopardy.

The hedging objective of the going concern perspective is to enable the bankto absorb negative events and to continue operation as a going concern. Thishedging objective places great emphasis on the concerns of the bank�s employeesand of the owners or equity investors (shareholders, cooperative members,etc.), who have an obvious interest in the continued existence of the bank.Under the going concern approach, the potential risk which is relatively likely


58 ICAAP Guidelines

not to be exceeded (e.g. 95% probability) is compared with the coverage capitaldefined (or available) for the going concern.54 As in practice the going concern isoften linked to accounting ratios (e.g. maintenance of a minimum core capitalratio for a good rating, attainment of a positive annual result), the hedging objec-tive can also be addressed using a separate P&L control procedure (cf. Excursus— Securing the Going Concern under the P&L Perspective). In both the eco-nomic and P&L-based methods, however, supervisory regulations also have tobe taken into consideration in the going concern perspective.

The hedging objective in the liquidation scenario (worst-case scenario) in theICAAP is to protect the interests of lenders (e.g. bond holders, savings invest-ors). These parties provide debt capital which — in contrast to equity — cannotbe regarded as risk capital. Therefore, the level of hedging must be higher inorder to enable repayment of the debt. In this context, the bank�s overall eco-nomic risk which is likely not to be exceeded (e.g. 99.9% probability) is com-pared to all sustainable risk coverage capital, i.e. the net asset value.

Chart 19: Overview of Hedging Objectives for Risk-Bearing Capacity

In the chapters that follow, we will discuss how risk coverage capital can beclassified according to the hedging objectives mentioned above.

4.3.3 Classification of Risk Coverage Capital

For the actual calculation of risk-bearing capacity, it is advisable to analyze riskcover with regard to availability, liquidity, publicity effects and supervisory treat-ment, and to assign these resources to their respective hedging levels (early

54 Cf. FMA/OeNB, New Quantitative Models of Banking Supervision.


ICAAP Guidelines 59

warning level, going concern, liquidation). Even more precise classifications ofrisk coverage capital can be found in the literature and in practice. However, asthese subdivisions are often merged into two or three levels for the purpose offulfilling hedging objectives, those methods largely match the explanations givenhere.55

Coverage Capital for the Going Concern

For the early warning level, a bank typically has easily accessible coverage capitalat its disposal which can be used to cover losses quickly and with little publicity.This capital might include parts of hidden reserves or profits already realized inthe course of the current business year. Should a bank wish to include projectedearnings in its risk coverage capital, then it is necessary to account for the sus-tainability of this coverage capital. Projected earnings themselves are in partrisky and therefore not sustainably available as risk coverage capital.

Once the coverage capital for the early warning level is used up, additionalcoverage capital is available to protect the bank as a going concern. This includesadditional sustainable hidden reserves which can be accessed easily and any cap-ital beyond the minimum level defined by the bank.56

Excursus: Securing the Going Concern under the P&L Perspective

In current practice, fulfilling the going-concern hedging objective is defined explicitly on the basisof the P&L. In particular, internal groups such as management and external groups such as rat-ing agencies and investors focus heavily on P&L-based indicators. Therefore, it makes sense tobe able to maintain the bank as a going concern by means of a separate control loop based onP&L indicators.In this context, it is necessary to consider the fact that especially in risk measurement there aredifferences between accounting ratios (P&L) and economic ratios. For example, in the case ofinterest rate risks, P&L risks (e.g. declining interest margins) and economic risks (e.g. presentvalue loss) may diverge from one another. The risk of changes in the value of hidden reservesmight not be visible in P&L risk. For example, a bank might enter an equity investment in thebalance sheet at its book value, but hidden reserves may exist in the equity investment due to itsvaluation. If the hidden reserves are reduced to zero when risks are realized, this would signifyan economic loss, but it would not be reflected in the P&L. In the case of credit risks as well, onlythat amount which exceeds the planned loss provisions for the remainder of the current yearwould be input to the risk-bearing capacity analysis as a P&L risk. In addition, the time horizonfor risk measurement is shortened. At the beginning of the year, the risk that a planned annualresult will not be reached is naturally higher.For P&L risk cover, it is only possible to include the coverage capital which is available during therelevant period (i.e. the current business year). In particular, it is necessary to ensure that hid-den reserves are also reversible during the relevant period. For this reason, coverage capital canonly include that amount which also remains available as a hidden reserve in the case of a crisis,after due consideration of a risk deduction (lump sum or calculation with a probability-basedrisk measurement model). The following example should clarify this point:If we assume that a bank has acquired a bond for EUR 100, its current market value is EUR110, and the interest rate risk for the rest of the year (value at risk) comes to EUR 4, thenEUR 6 (EUR 110 - EUR 100 - EUR 4) can be assigned to P&L risk cover.

55 Cf. Schierenbeck, H., Ertragsorientiertes Bankmanagement, Vol. 2, p. 30 ff.56 However, it is necessary to consider regulatory requirements when calculating the bank�s minimum capital, as the

going concern requirement will be violated at the latest when capital falls below minimum regulatory require-ments.


60 ICAAP Guidelines

If this coverage capital is insufficient, then the bank�s minimum profit as well as capital compo-nents above the regulatory minimum are also available. If these risk cover assets are tapped,then a negative annual result is usually inevitable, but the bank can still continue to operate.Additional risk cover assets are not available under this perspective, as accessing them wouldeither endanger the bank�s business activities (required capital) or they cannot be accessedwithin the relevant period (hidden reserves which are difficult to reverse). The approach pre-sented here is a desirable additional development for risk-bearing capacity analysis and canbe used by banks to fulfill the going concern condition in the ICAAP.

Coverage Capital for Liquidation

The risk cover for a liquidation scenario is meant to secure the claims of thebank�s creditors. For this purpose, basically all coverage capital is available,including that which is not accessible for fulfillment of the going concern con-dition. Specifically, this includes minimum capital (core capital), sustainable hid-den reserves which are difficult to access or cannot be accessed during the rel-evant period, and supplementary capital. For the purposes of the liquidation sce-nario, equity capital is used up first. Only in extreme emergencies will the banksalso tap subordinated capital components. Such capital components must be ana-lyzed carefully in light of their use and assessment as risk cover, as non-repay-ment already has to be classified as default in the broad sense. In particular, theseinclude certain components of tier 2 capital (i.e. the liability sum surcharge, par-ticipation capital, supplementary and subordinated capital) and of tier 3 capital.

If these risk cover assets are ultimately used up in their entirety, the creditor�sclaims can no longer be satisfied. Should the losses also exceed risk cover assetsin the liquidation scenario, this would constitute a default which would harminvestors and require the intervention of a deposit insurance organization.

It is the bank�s responsibility to identify and categorize its individual types ofcoverage capital. In this context, it is crucial to estimate coverage capital and itsavailability accurately, and to bring it into line with the bank�s defined hedgingobjectives. This will put the bank in a position to evaluate its risk-bearingcapacity. The next chapter discusses how this risk-bearing capacity can besecured.

4.4 Securing Risk-Bearing Capacity

4.4.1 Linking Potential Risks to Risk Coverage Capital

A bank�s risk-bearing capacity can only be secured on a sustainable basis if it isreasonably probable that the available risk coverage capital will exceed the riskstaken at all times. The basis for evaluating a bank�s risk-bearing capacity is thequantification of material risks and of coverage capital (cf. Chapter 4.2, Assess-ment of All Material Risks, and Chapter 4.3, Definition of Internal Capital). Inthe following, we will explain how a bank can derive statements about its risk-bearing capacity from a comparison of risks and coverage capital.

When calculating its risk-bearing capacity, the bank must ensure that itsmethods of calculating risks and its definition of internal capital are consistentwith one another. In the simplest case, a bank which uses the basic methodsto measure credit, market and operational risk (i.e. standard methods for thecalculation of minimum capital requirements) can use their regulatory capital


ICAAP Guidelines 61

as risk cover. However, relying exclusively on standard methods for calculatingminimum capital requirements is generally insufficient for ICAAP purposes, asthose methods do not cover all of a bank�s material risks (cf. Chapter 4.2, Val-uation of All Material Risks). Two methods can be used to account for additionalmaterial risks: In the first method, those material risks which are not covered bythe risk types used in calculating minimum capital requirements (such as interestrate risks in the banking book or strategic risks) are covered by maintaining acapital cushion. In the second method, additional material risks are quantifiedseparately and added to the bank�s capital requirements. These methods can alsobe employed simultaneously: In this case, the institution�s specific degree of riskwould be quantified more precisely for certain risks (e.g. for interest rate risk inthe banking book), while only a general capital cushion would be calculated forother risks. As the calculation of risks and the definition of internal capital arebased on the methods used for calculating minimum capital requirements in thebasic solution presented, it makes sense to use these methods in risk-bearingcapacity analyses as well. In this context, banks should implement control basedon an internal capital target57 specifically defined for the institution above theeight percent requirement if it is not possible to demonstrate that all materialrisks are already covered by the calculation methods for minimum capitalrequirements.

With this basic solution, it is only possible to derive rather vague statementson risk-bearing capacity. In accordance with the proportionality principle, such asolution is therefore only advisable for smaller banks with low risks.

Conversely, banks with more complex, riskier structures should use moresophisticated methods of evaluating their risk-bearing capacity. In the first step,the bank should use uniform risk quantification methods (e.g. value at risk) inorder to meet the prerequisites for a consistent aggregation of risks. In the sec-ond step, it is advisable to design the bank�s risk-bearing capacity analysis in sucha way that statements can be made as to the probability with which the bank willbe able to fulfill the risk-bearing capacity condition within a measured time hori-zon. Against this backdrop, advanced methods involve calculating the risks abank can take without endangering the hedging objective pursued. In the controlprocess, therefore, the following condition has to be fulfilled:

p [RC > potential losses]˚

xwherep = probabilityRC = risk coverx = confidence level in percentThis condition in risk-bearing capacity analysis can be defined on the basis of

the relevant hedging objective (cf. Chart 20: Comparison of Risk Coverage Cap-ital and Risks Taken and Chapter 4.3.2, Suitability of Equity Capital Types forVarious Hedging Objectives).

57 For information on defining institution-specific capital targets, cf. Chapter 4.1, Strategy for Ensuring Capital Ade-quacy.


62 ICAAP Guidelines

Chart 20: Comparison of Risk Coverage Capital and Risks Taken

The certainty or confidence level (x) can be interpreted as the probabilitythat the available risk coverage capital will be sufficient to cover any risks realizedduring the holding period in question. A confidence level of 99% with a timehorizon of one year indicates (in mathematical terms) that the bank�s risk-bear-ing capacity will be guaranteed in 99 out of 100 years.58 The confidence levelselected should thus be regarded in direct connection with the relevant hedgingobjective. Accordingly, a confidence level of 99.9% would signify (again in math-ematical terms) that the risk-bearing capacity condition will be violated in oneyear out of 1,000.

In addition to the confidence level, the time horizon must also be defined forthe hedging objective. The following arguments support the use of a one-yearhorizon:. Risk measurements for operational risk and credit risk also assume a one-

year horizon in the process of calculating minimum capital requirements.. Most of a bank�s credit risk positions can only be changed with great diffi-

culty in the short term.. Budgeting and capital allocation are also generally carried out in an annual

cycle and cover one year. Even if a shorter holding period is assumed in riskmeasurement, e.g. for trading portfolios, it makes sense to adjust to a one-year horizon with regard to the ICAAP. The following example should clarifythis point: A bank uses a holding period of ten days in risk calculations for itstrading portfolios, and processes this value in its risk-bearing capacityanalysis for the ICAAP. Now let us assume that the risks are actually realizedon the tenth day. This would mean that no further risk capital will beavailable for trading activities for the remainder of the year. This dilemmacan be resolved through the appropriate risk budgeting on an annual basisby incorporating the maximum annual risk budget (annual loss limit) inthe ICAAP.

58 For each rating from known agencies, a master scale exists which contains a clear mapping of assigned ratings (e.g.BBB) to the corresponding default probabilities. A default probability can be determined on the basis of a ratingand an understanding of the master scale.


ICAAP Guidelines 63

Chart 21: Possible Methods of Ensuring Risk-Bearing Capacity

4.4.2 Risk Limitation as Economic Capital Budgeting

A bank�s risk-bearing capacity can only be secured to a sufficient extent if riskscan be limited effectively. The requirement of maintaining risk-bearing capacity(as described in the previous chapter) already constitutes a limitation of risk atthe overall bank level.

In the planning process, risk capital is allocated to individual control units(cf. Chapter 4.5.2, The ICAAP Risk Management Process). In the allocationof risk capital, it is advisable not to allocate 100% of the bank�s risk coveragecapital, but to retain a certain share of capital at the overall bank level. This isrecommended for the following reasons:. The bank can provide capital cushions for risks which cannot be quantified

(or only with great difficulty).. An available capital budget is maintained in order to ensure that the bank

remains flexible even in cases where shortages occur in individual limits.. The decentralized control units can utilize a larger portion of their limits.

The more a control unit (e.g. treasury department) can utilize its limitsfor risk-related reasons, the easier it generally is to attain income targets.

The risk capital made available for operational risks is not well suited for alloca-tion to control units. Operational risk can hardly be decentralized in such a waythat a control unit could take conscious measures to assume a specific risk posi-tion.59 From a risk perspective, therefore, decentralized limitation is not neces-sarily appropriate in this case. The coverage capital which is then still available isdistributed among the individual business divisions, such as corporate business(credit risk), retail business (credit risk) and treasury (market risks, especiallyinterest rate risk in the banking book). The number of levels at which the riskcapital is distributed depends heavily on the bank�s business model as well as itsstructure and complexity; this decision is to be made by the management in theprocess of articulating the bank�s risk strategy.

59 In order to determine return requirements for the provision of risk capital, however, the overall volume of opera-tional risks can still be divided among individual business lines.


64 ICAAP Guidelines

In general practice, a business portfolio already exists when banks performsuch a risk capital allocation process. The majority of risks will be found in lend-ing operations and can therefore hardly be changed quickly and/or with reason-able effort. Therefore, it is advisable to begin with existing business in this allo-cation process. However, the allocation rules for target structures can be usedfor planned new business in order to steer the bank toward its target structure.

Risk capital should be allocated by assigning limits. For the control units,these limits define a clear framework or boundaries within which they can oper-ate. At the same time, when risk capital is allocated by means of limits, the con-trol units also assume responsibility for observing these limits. The bank can thensecure its risk-bearing capacity by monitoring and analyzing limit utilization.Moreover, it is also possible to analyze the extent to which control units use theirrisk capital.

The following principles should be observed when designing a limit systemwithin a bank:. No risk without a limit (= provision of risk capital): This means that limits

are also applied to the units responsible for risk taking (e.g. committees orthe management if it controls individual equity investments directly).

. Illiquid risks (especially credit risks) have to be limited consistently wherethey originate (market units).

. A uniform definition of risk capital must be selected and used in allocationthroughout the entire bank.

. The limit should reflect the risk level of each transaction or portfolio.

. Structural limits or volume limits based on creditworthiness can limit con-centration risks effectively in areas where a (useful) risk-based limit cannotbe calculated. Structural limits should be derived consistently and applied tothe most significant types of concentration risks. In its ICAAP, each institu-tion should review whether creditworthiness-based limits might be appro-priate for certain groups of connected clients. Institution-specific maximumlimits can, for example, be derived on the basis of internal rating grades andrisk-bearing capacity (see excursus below). Moreover, additional structurallimits (e.g. for countries or foreign currency loans), should be defined on thebasis of the institution�s specific portfolio.

. Overall, it is advisable to adhere to the motto �as many as necessary, as few aspossible� with regard to limits in order to ensure sufficient risk hedging forthe bank and at the same time to optimize risk management efforts.

A limit system which is tailored to the bank�s specific circumstances is an impor-tant prerequisite for maintaining risk-bearing capacity. However, this can only beensured if the limits (or risks) are monitored and the appropriate countermeas-ures are taken once risks begin to approach their defined limits (cf. Chapter 4.5,Processes and Internal Control Mechanisms).


ICAAP Guidelines 65

Excursus: Example of Limit Allocation

The overall bank limit is first defined on the basis of the bank�s risk-bearing capacity and riskappetite. This limit is then broken down at the level of risk types (e.g. market risk, credit risk)with a view to allocating the bank�s risk capital to these individual risk types. Then the allocationis further specified at the level of control units. However, for the purpose of allocation at thelower levels it may be helpful or easier for the bank to apply volume limits (e.g. for individualborrowers) or sensitivity limits (e.g. PVBP limits in bond trading) instead of a VaR limit. Thiscan help promote acceptance among sales employees and enhance practicability, for example.Here it is important that the bank can ensure that superordinate limits or ultimately the overallbank limit are observed when volume or sensitivity limits are exhausted.

Excursus: Deriving Creditworthiness-Based Limits fromRisk-Bearing Capacity

>Creditworthiness-based limits can be derived from risk-bearing capacity using a two-stageprocedure. In the first step, the management must define an anchor point. This refers to themaximum unsecured volume for a country or a group of connected clients and must not beexceeded. The bank is only willing to risk this maximum unsecured volume for customers ofthe highest credit quality, and this volume also represents the maximum risk capital amountwhich a single customer can tie up. In the case of customers with lower creditworthiness,the same risk capital is already tied up by a substantially lower volume.

Chart 22: Deriving Creditworthiness-Based Limits from Risk-Bearing Capacity


66 ICAAP Guidelines

In the second step, the bank can calculate the actual limits for each country or group of con-nected clients. Based on the defined anchor point for the maximum risk capital per group ofconnected clients or country, it is also possible to calculate consistent limits for borrowers oflower credit quality.These supplementary procedures in credit risk assessment should be carried out in the ICAAP inorder to reflect concentration effects accurately.

4.4.3 Using Stress Tests

Stress tests show the effects of events which can not (or not sufficiently) beaccounted for in �normal� risk measurements (e.g. with VaR methods). Banksare repeatedly confronted with these exceptional scenarios: market crashes,country crises, critical political events or major bankruptcies are just a fewexamples. For situations of this kind, the assumptions of the usual assessmentmethods do not appear sufficient, which can lead to substantial underestimatesof risk. For this reason, it is important for a bank to define relevant stress sce-narios. For example, massive fluctuations on international financial markets willhave a different effect on a bank with high market risks than on a regional bankwhich primarily focuses on customer business. Nevertheless, it is necessary toaccount for the fact that these shocks can also have a noticeable impact on banksoperating in more remote segments. After a market crisis, interest in funds andequities diminishes, which in turn brings about a decline in fee and commissionincome for many banks (even those which only operate regionally). For this rea-son, it may be helpful to define relevant stress scenarios for all of a bank�s mate-rial risk types and to analyze the effect the simultaneous occurrence of suchexceptional situations would have on the bank�s risk-bearing capacity. The insti-tution�s specific business focuses can be taken into account by assigning differentweights, for example. Banks which assume correlations in their ICAAP calcula-tions should not assume any diversification effects in their stress scenarios.Moreover, tests prescribed by supervisory authorities also have to be integratedinto the design of relevant stress scenarios (e.g. when certain methods are usedto calculate capital requirements or large exposures).60

A bank can depict the effects of stress scenarios within the framework of risk-bearing capacity analysis. In this context, the bank should consider stress scenar-ios on the risk side as well as the effects of exceptional situations on the capitalside. The results of the stress tests provide indications which may be helpful inidentifying any existing weaknesses. This information can be used to developcountermeasures such as introducing security checks and access authorizationsin order to reduce operational risks, or drawing up general emergency plans.

4.5 Processes and Internal Control Mechanisms

4.5.1 Incorporating the ICAAP into Bank Management

4.5.1.1 ICAAP as a Dimension of Strategic Management

The ICAAP should be integrated into the strategic management of the bank withthe specific aim of enhancing awareness of the fact that strategic decisions involve

60 Cf. OeNB Guidelines on Market Risk, Volume 5: Stress Testing (1999); or FMA/OeNB Guidelines on CreditRisk Management, Volume 2: Rating Models and Validation, Section 6.4 (2004).


ICAAP Guidelines 67

risks which have to be offset with risk coverage capital. In this way, the bank canmake efforts to improve its definition of business strategies, and thus also its han-dling and management of strategic risks. Therefore, strategic decisions such asthe expansion of treasury operations, the definition of business lines (corporatecustomers, specialized lending) or entry into new markets must always be eval-uated in light of their effects on the bank�s risk situation and risk-bearingcapacity. If, for example, a bank expands into markets abroad, this can give riseto additional risks (e.g. foreign exchange risks, legal risks).

This mutual process results in the bank�s risk strategy, which should includeall general conditions relevant to the ICAAP (see Chapter 4.1, Strategy forEnsuring Capital Adequacy). In this context, it is important to ensure that stra-tegic requirements are put into practice and observed in day-to-day operationsby the bank�s operations risk management.

4.5.1.2 ICAAP as a Dimension of Operations Management

In contrast to the strategic risks discussed in the previous chapter, operations riskscan be characterized as follows: Operations risks are more detailed and concrete,and they are characterized by a shorter action horizon. Within the framework ofoperations management, the task of the ICAAP is to control the risks taken and toensure a sufficient level of internal capital. In general, a bank cannot prevent riskstaken from being realized, at least in some cases. Therefore, in their risk-bearingcapacity analyses banks should ensure that the risk coverage capital available isalways sufficient to cover the risks taken. Afterwards, it is necessary to checkwhether the expected results were actually attained.

4.5.2 The ICAAP Risk Management Process

The process of risk management can be subdivided into five stages (see Chart 23:Stages of the Integrated Risk Management/ICAAP Process). In this context, it isimportant to note that this is not a strictly sequential process, but a control cyclewhich involves feedback and feedforward loops. In addition, it makes sense toapply a parallel quality assurance and control process to all stages of the risk man-agement process.

Chart 23: Stages of the Integrated Risk Management/ICAAP Process


68 ICAAP Guidelines

4.5.2.1 Risk Identification

The purpose of this initial stage in the risk management process is to record (in astructured form) as many risks as possible which might hinder the bank in attain-ing its goals. This is an especially important task because it sets the stage for theremainder of the risk management process, and the bank can only control risks ifthey are identified in this step.

A bank can evaluate independently which risks are relevant to its situation,for example on the basis of the risks described in Chapter 4.2, Valuation of AllMaterial Risks. The bank should also record and document the results of the riskidentification process. This can be done, for example by compiling a risk manual(see Chapter 3.4, Documentation Requirements). The next step is to find anddefine suitable risk measurement methods for the risks identified. In the processof identifying risks, the bank should also define which data will be necessary forrisk quantification and how these data can be provided.

In addition, this process should be designed in such a way that changes inexisting risks as well as the emergence of new risks can also be taken intoaccount. Especially when launching activities in new types or lines of business,the bank may be confronted with risks which previously bore little or no signifi-cance.

4.5.2.2 Quantifying Risks and Coverage Capital

The second task in the risk management process is risk quantification. This stepis necessary in order to create an objective basis for decision-making in controlunits and the overall bank. Without risk quantification, the bank cannot makestatements regarding its risk-bearing capacity within the framework of theICAAP. Moreover, risk quantification is absolutely essential for evaluating thesuccess of individual control units in terms of risk.

Likewise, the bank also has to quantify its risk cover. Economic risk cover isnot a static value. On the one hand, the bank�s risk cover will change due to thebank�s earnings in the course of the business year. On the other hand, hiddenreserves (e.g. in securities, equity investments) are also prone to fluctuationsin value. The balance sheet and regulatory components of risk cover can bederived directly from reporting data. Additional components such as hiddenreserves in customer business or in equity investments may have to be queriedfrom other systems or sources (see Chapter 4.3, Definition of Internal Capital).In addition, it is absolutely necessary to account for additional supervisoryrequirements (e.g. planning capital requirements and available capital).

4.5.2.3 Aggregation

Once they have been identified and quantified, individual risks also have to beaggregated to determine the bank�s overall risk in the ICAAP. In this process,it is necessary to ensure that no risks are omitted or captured incompletely.At the same time, it is also important to ensure that risks are not recordedredundantly and that individual risks can be aggregated (cf. Chapter 4.2.9,Aggregation of Risks).

The more complex a bank�s structure is, the more demanding and involvedthe aggregation process becomes. Process design (e.g. for data provision, riskmeasurement, data transfer), assigned responsibilities and data quality are crucial


ICAAP Guidelines 69

in this context. For this reason, a clearly documented, comprehensible process isalso necessary for aggregation. In this overall perspective, it is very important totake account of any assumptions regarding interdependencies among individualrisks.

The insights gained in the process of risk measurement must be made avail-able to decision makers in a timely fashion, as they will require up-to-date infor-mation on the bank�s risk situation in order to take the appropriate measures tomanage the bank�s risks.

Along with risks, the available risk cover should also be aggregated. Riskmanagement decisions can then be made by comparing the bank�s risk cover withits risks. In order to ensure its risk-bearing capacity, the bank should make itsspecific risk profile transparent and understandable.

4.5.2.4 Ex Ante Control

In the planning process, an operational limit is defined for each individual con-trol unit. These limits should be embedded in the bank�s structure in such a waythat a limit exists for each control unit which can take on risks. In this way, thebank can limit or prevent certain risky transactions for the sake of risk avoidance.This is especially useful for those risks which can only be mitigated with greatdifficulty. For credit risk, this might involve imposing limits at the point of sale,where the risks originate. In the process of ex ante control, emergency plansshould also be drawn up for extreme stress scenarios.

In pricing, the determination of the risk premium on the basis of the borrow-er�s creditworthiness is also an important instrument for ex ante control.

Excursus: Risk-Adjusted Pricing

Risk-adjusted pricing means that the lending terms offered to a customer are based on the levelof risk involved. This method has a positive effect on the bank�s risk-bearing capacity.

Interest margin contributionþ Income from fees and commissions� Standard risk costs� Operating costs

¼ Contribution margin before cost of capital

� Cost of capital

¼ Contribution margin after cost of capital

In order to derive a transaction�s contribution margin, it is necessary to deduct operating costs,standard risk costs (which should equal the expected loss) and the cost of capital from the sumof the interest margin contribution and income from fees and commissions. The standard riskcosts or expected loss of a loan should be included in pricing because it already has to be antici-pated in calculations in order for the transaction to have even a chance of being profitable. If theattainable margins are insufficient to cover the expected loss, this will yield a negative contri-bution margin. In the long term, generating negative contribution margins will consume thebank�s capital and thus endanger its risk-bearing capacity.The cost of capital represents a form of remuneration for the risk capital made available tocover unexpected losses. These �costs� arise from the fact that the owners of the bank requirecompensation for their risks. As a general rule, the lower a customer�s creditworthiness is, the


70 ICAAP Guidelines

higher

the capital charge should be for a risky transaction. Higher risk thus logically leads to higher riskcapital costs.If the interest margin contribution contains the appropriate premiums for both expected lossand unexpected loss (i.e. because the bank uses risk-adjusted pricing), the bank can assumeex ante that it will see positive contribution margins. This helps secure the bank�s risk-bearingcapacity.In contrast, non-risk-adjusted pricing can cause a steady deterioration in the quality of the creditportfolio. This is linked to the fact that when a bank uses terms and conditions which are notadjusted for creditworthiness, customers in good credit standing are systematically placed at adisadvantage compared to customers with poor creditworthiness. The customer with high cred-itworthiness will therefore be inclined to switch to a competing bank. On the other hand, cus-tomers with poor creditworthiness are given an incentive to accept these terms, which are rel-atively favorable for them. The bank�s credit portfolio would thus gradually accumulate expo-sures to customers with low creditworthiness, while the more reliable customers would slowlydisappear. This process, which is also referred to as �adverse selection�, has a negative effectnot only on the bank�s income situation but also on its risk-bearing capacity.Risk-adjusted pricing therefore allows the bank to use pricing in order to maintain its risk-bear-ing capacity as required in the ICAAP. The bank�s risk-bearing capacity is not even endangeredwhen loans are granted to customers in poor credit standing, as the increased risk is covered bythe adjusted terms. However, the market mechanism of risk-adjusted pricing also has its lim-itations, as this technique cannot sufficiently account for concentration risks. For this reason, itis helpful to define additional structural limits in addition to adjusting terms and conditions forcreditworthiness. Structural limits refer to explicit exposure limits for each internal rating gradefrom the bank�s risk-bearing capacity. As soon as one of these limits is reached, no further loanscan be granted to customers in the corresponding rating grade, regardless of whether the cus-tomer is willing to pay a higher risk premium.

4.5.2.5 Risk Monitoring and Ex Post ControlRisk Monitoring

Risk monitoring refers to the process of ensuring that a bank�s risk profileremains in line with its risk preferences at all times. This control informationcan be derived from a regular comparison of the bank�s target and actual situa-tion. In the ICAAP, the target situation is defined by the limits assigned by thebank. In this context, the bank should also set up a standardized procedure fordealing with increasing levels of limit utilization and limit overruns. Limit uti-lization can be monitored using a �traffic lights� system. If the light changes toyellow in a given area (e.g. because the limits defined for the early warning levelare reached), the bank can already initiate control measures. In addition, it isadvisable to define a standardized procedure for cases where the light turnsred, meaning that the bank�s risk-bearing capacity is in jeopardy.

While target/actual comparisons primarily monitor adherence to definedlimits in the case of quantifiable risks, the main objective in the case of non-quan-tifiable risks is to monitor process-related requirements or qualitative limits.Banks should also consistently monitor risk positions in a management processfor risks which are not (or not easily) quantifiable.

The bank can then include the results of this monitoring process in (internal)risk reports. Therefore, a crucial element of effective internal ICAAP reportingis the procurement and preparation of all information regarding the risk posi-tions of individual business divisions and the overall bank, and regarding risk


ICAAP Guidelines 71

cover assets. ICAAP reports should be compiled regularly and prepared with therecipients in mind (i.e. decision-makers in business divisions and the bank�s man-agement). In connection with the ICAAP, it is advisable to provide the followinginformation:. Economic risks for the bank as a whole and broken down by risk type;. Economic risk cover and utilization of overall bank limits;. Current solvency ratio;. Risk profile and limit utilization of top-level control units;. Overview of control units or risk types which have exceeded their limits;. Overview of structural limits (size classes, countries, rating grades, indus-

tries, etc.) and the corresponding levels of utilization;. Development of risk status compared to the previous period;. Results of stress tests and scenario analyses;. Proposed measures in cases where limits or risk-bearing capacity are

exceeded;. P&L risk for the bank as a whole and broken down by risk type;. P&L risk cover (as necessary).

Internal Reporting

Information should be prepared in a regular reporting cycle, both ex ante as abasis for decisions and ex post for review purposes. Moreover, ad hoc reportsshould be provided in cases where risks are realized suddenly or unexpectedly.Ex post analyses involve analyzing deviations from projected figures in order toderive a basis for decisions on future control measures.

The design of the risk reporting system can only be well-founded if the bankhas precise ideas of the demands it has to meet. With regard to the introductionof a reporting system, the following success factors can be identified:. Expediency: Reports should provide all essential information. In the ICAAP,

this refers specifically to the comparison of the bank�s overall risks with itsrisk cover.

. Acceptance: User acceptance of the information provided is decisive for theimplementation of organizational rules and for the use of reporting. For thisreason, the risk report�s scope and level of detail should be defined with dueattention to the needs of the target group.

. Transparency: The risk report should contain clear, comprehensible andaccurate information.

. Completeness: Reports should cover all material risks and types of risk cov-erage capital as well as supervisory aspects (i.e. adherence to capital require-ments).

. Comparability and aggregability: The format of the report should bedesigned as uniformly as possible in order to be able to merge the variousrisk types and business units into a complete overview of the bank�s risk sit-uation.

. Timeliness: The reporting system should be designed in such a way that gapsbetween target and actual risk positions can be reported as quickly as possiblein order to enable the appropriate countermeasures to be taken in due time.

. Feasibility: The targeted reporting solution should be feasible within theinstitution�s structural and process organization.


72 ICAAP Guidelines

. Continuity: Reports should be compiled at regular intervals, and their con-tent should be presented in a consistent format.

. Economy: Considerable resources are required in order to procure and pre-pare reporting information. Therefore, the bank should also focus on max-imizing the economy of the reporting system — as long as no critical riskinformation is lost as a result.

With regard to reporting hierarchies, levels of detail, media and time intervals,the risk reporting system should be designed with attention to the factors indi-cated above and in light of the size, complexity and risk level of the institution(proportionality principle). A bank will generally not have to develop an entirelynew reporting system for ICAAP purposes. In particular, the managementshould not be presented with another isolated report containing informationwhich partly overlaps with other reports. Instead, the bank should base its sys-tem on existing risk reporting procedures, supplementing them as necessarywith components which explicitly address the bank�s risk-bearing capacity. Itis also a good idea to include a management summary in order to define the focusof each report.

Ex Post Control

Reporting forms an important basis for the measures taken in the ex post controlstage. The objective of this stage is to exercise an active influence on risk posi-tions determined in the previous stages of risk identification and risk measure-ment. The bank�s risks have to be brought into line with its risk targets and pref-erences. In order to attain these objectives, the bank can basically choose amongthe following alternatives:. Risk mitigation or risk transfer: The aim of risk mitigation is to reduce the

effects of risks which may be realized in the future. Risk mitigation measuresmight include requesting collateral (e.g. for loans), diversifying risks or usingconventional insurance. Risk transfer refers to shifting exposures to thirdparties. This can involve selling the risk position or using hedging transac-tions (e.g. swaps, forward foreign exchange contracts).

. Reallocating risk capital (i.e. increasing limits): This is only possible ifother control units have not exhausted their limits or the bank can accessadditional capital cushions in its risk cover. Reallocation may be useful incases where a control unit presents attractive business opportunities whichjustify increasing its allocated limit. The bank�s risk-bearing capacity repre-sents the maximum limit for reallocation.

. Increasing risk coverage capital: The bank can also control its risk coverto a certain degree. Banks can increase their risk coverage capital if they canraise additional capital (e.g. by carrying out a capital increase, issuing coop-erative shares, hybrid capital). In practice, such actions are taken primarily inconnection with a bank�s strategic measures, for example before taking overanother bank or expanding into new markets. For the purposes of operationsrisk management, such measures are generally too time-consuming and cost-intensive. However, for the sake of emergency planning it is advisable to dis-cuss the bank�s general options for increasing risk coverage capital with thebank�s equity investors.


ICAAP Guidelines 73

Ex post control can be seen as the last step in the risk management process and atthe same time as the trigger for a new process.

4.5.2.6 Quality Assurance and Control Process

Quality assurance and control form a process which runs in parallel to the fiveprocesses described above. In this process, it is necessary in particular to ensurethat consistent methods and procedures are used to quantify risks and coveragecapital. Moreover, the bank should ensure the security and quality of data as wellas the reliability of systems. Here the bank should review the processes andresponsibilities in risk management (data generation, risk measurement, thederivation of control measures, risk monitoring, etc.) and seek to prevent con-flicts of interest. In addition, the bank should verify that the necessary levels ofknow-how and resources are available.

The function of the quality assurance and control process must also be under-stood as a continuous learning process. For example, losses incurred in the pastdue to the omission of relevant risks, inaccurate risk assessments or the selectionof incorrect control measures can provide input for the improvement of futurerisk-related decisions (back-testing).

4.5.3 Risk Management Organization in the ICAAP

In the previous chapter, we discussed the stages of the risk management processand thus focused on risk management workflow; this chapter deals with issuesrelated to structural organization for the purpose of designing effective risk man-agement structures.

4.5.3.1 Structural Organization

As risk management is understood as a process (see previous chapter), risk man-agement tasks — and thus also ICAAP-related tasks — can be handled by variousorganizational units. For example, risks and risk coverage capital are often quan-tified by a dedicated organizational unit. This organizational unit is typicallyreferred to as �risk control�. Risk control measures are often decided upon bya committee (asset and liabilities management, investment committee, creditcommittee, etc.). In turn, these control measures might be implemented bythe treasury department or trading department in the case of market risks. Inthis case, it is important to ensure that risk capital is provided (i.e. that a limitexists) for every decision in which risks are taken. This also applies to the actionsof a committee or other decision-making body, thus also making it possible toreview responsibilities.

The actual organizational design of the process is highly significant in light ofthe multi-layered nature of the risk management process. In this context, it isnecessary to ensure that tasks, competences and responsibilities are definedclearly. In designing this organizational structure, the bank must also ensure thattasks which are incompatible with one another are carried out by differentorganizational units. In this context, the management is responsible for prevent-ing conflicts of interest. In many cases, this clearly calls for a thorough and con-sistent segregation of those functions and organizational units which actively takeand control risks from those units which measure, check and report on risks.


74 ICAAP Guidelines

4.5.3.2 Risk Control as a Separate Function in Risk Management

The risk control unit performs important risk management functions by provid-ing information for control and steering decisions and by defining risk-relatedmethods at the highest level. The purpose of risk control is to measure, analyze,monitor and report on risks. This also implies a delineation from the broaderterm �risk management�: The risk control unit is dedicated exclusively to pro-viding information and proposals, thus it cannot take risk positions itself.

As a result, the risk control unit is responsible for critical operational tasks inthe ICAAP. Specifically, these include the adaptation and expansion of the cor-porate planning system as well as information provision and reviews, coordina-tion and integration of subsystems into an overall system, documentation of therisk management system, risk reporting and the timely provision of managementinformation.

Risk control therefore narrows the gap between information needs and theavailable information, and provides advice and support to the employees respon-sible for corporate divisions and processes. The risk control unit may also act asan advisor to the company�s management by recommending risk control meas-ures (e.g. proposing limits differentiated by risk types and business units).

4.5.4 Functions of the Internal Control System in the ICAAP

In order to implement the requirements regarding processes and control mech-anisms, the bank can rely on various ideas and publications at the national andinternational level with regard to designing internal control systems in ICAAPdevelopment.

The internal control system is not explicitly mentioned in the Austrian Bank-ing Act (BWG); however, Article39 (internal control procedures) and Article42BWG (Internal Audit) as well as Article16 (Filing and Documentation Require-ments) and Article 18 WAG (Governance) can be regarded as legal bases. Here itis also necessary to mention Article 82 AktG and Article 22 paragraph 1GmbHG, under which the management is responsible for ensuring that the com-pany maintains an internal control system which fulfills its requirements.

Fundamentals of the Internal Control System

In the ICAAP, banks are required not only to have strategies and processes inplace for continuously assessing and maintaining the adequacy of their internalcapital, but also to carry out regular internal reviews of these strategies andprocesses. This is meant to ensure the adequacy and completeness of the ICAAPon an ongoing basis. In essence, these requirements refer to a bank�s internalcontrol system, which is explained briefly in this chapter.

Principles of the Internal Control System

Every bank is required to have a functioning internal control system, which alsoincludes parts of risk management.

The management bears the overall responsibility for developing a strong andeffective internal control system which covers all of the bank�s divisions andactivities. In this context, the internal control system should fulfill the followingspecific requirements within the bank:


ICAAP Guidelines 75

. Effective and efficient operations and business units;

. Adequate control of risks;

. Adequate management;

. The reliability of all financial and non-financial information which is reportedor disclosed both internally and externally;

. Compliance with relevant laws and other regulations as well as internal pol-icies and procedures.

In order to fulfill these obligations appropriately, all managers are responsible forensuring that the human and material resources made available for the internalcontrol system are sufficient (in qualitative as well as quantitative terms) at alltimes.

Implementation of the Internal Control System

In setting up its internal control system, the bank must ensure a strict segrega-tion of duties and assignment of authority in addition to a clear, transparent anddocumented decision-making process in order to ensure congruency with inter-nal decisions and workflows. Moreover, control mechanisms (such as the segre-gation of functions and the �four eyes� principle) must be appropriate to thebank�s business activities. The functions of risk control, internal audit and com-pliance can be regarded as instruments for fulfilling the requirement with regardto the internal control system within the institution.

Risk Control Function

The risk control function should be defined and implemented for the purpose ofmonitoring and reviewing all risks identified by the bank in its risk assessment.For further details, see Chapter 4.5.3.2, Risk Control as a Separate Function inRisk Management. Reports should be directed not only at the management butalso at all other relevant staff.

Compliance Function

The compliance function, which is primarily an instrument for the management,is to identify and assess actual or potential deviations from laws, regulations,codes and standards as well as internal guidelines, and to report such violationsto the head of the relevant organizational unit and to the relevant member ofsenior management (in severe cases to the entire management) as necessary.

In addition, the compliance unit can assist the management in remaining upto date regarding the current state of relevant existing and proposed regulations,as well as assessing the possible impact of changes in the legal environment on thebank. In the ICAAP, the compliance unit should verify that new products, trans-action types and procedures comply with current and future regulations.Another important task of compliance is to create a compliance culture in thecompany and to train employees with regard to existing or changing regulationsas a proactive contribution to minimizing the bank�s compliance risk.

Internal Audit Function

Internal auditing is a management instrument especially for process-independ-ent monitoring of the bank�s risk management system and ensuring an adequatelevel of quality in internal controls. In this context, the two other control func-


76 ICAAP Guidelines

tions mentioned here — risk control and compliance — should be subjected toregular reviews by the internal audit unit. Moreover, the internal audit unit isresponsible for evaluating the adequacy of existing principles and procedureson an ongoing basis.

With regard to the ICAAP, this unit should thus review ongoing ICAAPapplication, monitor adherence to controls in place within the ICAAP, reportany shortcomings identified to the management, and review the resolution ofsuch shortcomings in the course of follow-up procedures.

Independence of Functions of the Internal Control System

In order to enable the functions of risk control, internal audit and complianceunits to fulfill their duties properly and thus to ensure an effective internal con-trol system, these units should be independent of the business lines they monitorand segregated from each other.61

4.5.5 References to FMA Minimum Standards

The minimum standards published by the Austrian Financial Market Authorityprovide additional guidance for ICAAP implementation. In response to interna-tional as well as national developments, the FMA provides Austrian banks withrecommendations on key issue areas on the basis of the Austrian Banking Act.These recommendations are published in the form of minimum standards, whichdo not constitute legally binding FMA regulations. However, with particular ref-erence to the due diligence obligations set forth under Article 39 BWG, theFMA expects banks to adhere to these minimum standards in their businessactivities. To date, the FMA has published four minimum standards for creditinstitutions (see References).

A number of ICAAP topics are also addressed in these publications, thus theFMA�s recommendations may also provide banks with an orientation aid forICAAP implementation. Specifically, the topics covered in these standardsinclude the following:

Especially in Austria, increased credit risk exists in many banks due to for-eign currency loans and loans with repayment vehicles; this additional risk mustbe accounted for in the ICAAP.

In this context, the FMA released minimum standards for granting and man-aging foreign currency loans as well as loans with repayment vehicles. These twosets of minimum standards essentially contain recommendations for properapproval procedures as well as risk management and control with regard to thesetwo forms of financing.

The FMA�s Minimum Standards for the Credit Business provide guidance oncredit risks, especially risk policies and strategies, risk control, documentationrequirements for processes and methods, valuation and measurement methods(including risk-bearing capacity), the treatment of new types of transactions,and responsibilities. The purpose of these minimum standards is to foster thedevelopment of risk management at Austrian banks.

61 On the compatibility of simultaneously fulfilling compliance and internal audit duties, see the FMA bulletin ofMarch 30, 2004, on the compatibility of internal audit/money laundering oversight/compliance monitoring.


ICAAP Guidelines 77

In the ICAAP, internal auditing plays an especially important role within theframework of the internal control system. The FMA�s Minimum Standards forInternal Auditing contain general guidelines on organization, duties and the sta-tus of the internal auditing unit based on Article 42 BWG.


78 ICAAP Guidelines

5 ICAAP Implementation

5.1 Steps in the Implementation Process

Before the bank can begin designing its ICAAP, it must first define its relevanttarget state. In order to do so, the following steps are required:

Chart 24: Steps in the ICAAP Implementation Process

Definition of Institution-Specific Requirements (Target State)

In the first step, the bank should draw up a catalog of requirements based onsupervisory sources, especially the EU Directive 2000/12/EC and the guide-lines published by the FMA/OeNB62. In this context, this document should alsobe taken into account.

In the second step, these requirements have to be specified for the individualbank. In the course of a self-assessment, the bank should identify its materialrisks, from which it can then derive its risk profile. The requirements withregard to ICAAP methods are to be defined in light of the bank�s risk profile.Typically, the introduction of new methods begins with relatively simple, robustsolutions which are then developed and refined on an ongoing basis.

The full catalog of requirements then represents the target state for ICAAPpurposes and defines requirements with regard to methods, procedures, proc-esses and organization. Therefore, drawing up the catalog of requirements alsocalls for preliminary strategic considerations and steering decisions with regardto the ICAAP to be implemented.

Gap Analysis (Target/Actual Comparison)

Once the target state has been defined, the bank should analyze those require-ments which are currently not (or not completely) fulfilled. In this process, thebank should survey the current state of methods, processes and organization inits internal risk management system. Furthermore, possible interfaces to exist-ing and planned project activities should be discussed. Typical interfaces includethe implementation of the EU Directive 2000/12/EC with regard to calculatingcapital requirements, or activities aimed at fulfilling the minimum standards forthe credit business.

The relevant organizational units should analyze their current state, as therespective experts in each field will be best able to assess the bank�s implemen-tation status. In this process, the individual topics should be assigned to therespective employees in charge.

Gaps in implementation can then be identified by comparing the require-ments with the current state. This comparison of target and actual states could

62 Additional requirements can be derived from the recommendations of the Basel Committee on Banking Super-vision (e.g. Sound Practices for Managing Liquidity in Banking Organisations).


ICAAP Guidelines 79

be carried out in the course of a workshop attended by the organizational unitsconcerned. The results should be documented and conveyed to the units respon-sible (project team, management). The bank can then assess the significance andconsequences of the gaps identified as well as identify the necessary actions onthis basis. These gaps and areas where corrective action is necessary should bedocumented.

Implementation Planning

In implementation planning, the first step is to prioritize the required measures.In this way, a clear ranking can be defined in order to deploy implementationresources effectively. In the next step, the measures identified are to be com-bined in individual work packages and coordinated with the organizational unitsconcerned. In this process, the bank should also define who is responsible forhandling topics which have not yet been addressed. In addition, it is also neces-sary to cover those activities to be handled in separate projects. In the third step,the bank should set binding deadlines and responsibilities with due attention tothe capacity available within the organization.

Implementation

The bank might first develop and/or adapt its methodological plans. Next, thebank can fulfill organizational and IT requirements (e.g. risk measurement andthe limit system) as required by the ICAAP. The process-related aspects andresponsibilities within the ICAAP can then be defined and documented. Thismight involve quantifying and aggregating risks and coverage capital, monitoringlimits or taking measures in the ex post control process. The bank can also defineupstream activities such as the generation and provision of data at this stage. TheICAAP is integrated into the bank�s strategic and operational control mecha-nisms (e.g. annual budgeting and planning on the basis of risk indicators and cov-erage capital). Once implementation is completed, the bank should have at itsdisposal adequate methods, processes and systems to ensure its risk-bearingcapacity.

5.2 Critical Success Factors in ICAAP Implementation

The following factors are crucial in the actual implementation of an ICAAP:. Early detection of gaps in fulfillment;. Selection of methods;. Master plan and project management;. Communication;. Know-how and resources;. Data quality;. Suitable IT systems.

Early Detection of Gaps in Fulfillment

A bank should make efforts to detect gaps in its fulfillment of requirements asearly as possible so that it can take the appropriate measures in a timely and eco-nomical manner. Closing these gaps quickly mainly serves to improve the bank�sinternal risk management and thus also enhances the bank�s ability to ensure its


80 ICAAP Guidelines

risk-bearing capacity; this should be done regardless of the Directive�s entry intoforce.

Selection of Methods

The bank should determine the methods and procedures which best suit itsneeds, as these determine the validity of the ICAAP as well as the requiredimplementation resources. In the course of selecting methods, the bank shouldnot only consider its current risk profile but also anticipate planned develop-ments in individual risk types. If it is already clear now that trading will beexpanded heavily in the coming years, then it makes sense to introduce moreadvanced procedures from the outset when designing the ICAAP.

Master Plan and Project Management

The bank should develop a master implementation plan which covers planning,budgeting and a prioritization of all ICAAP implementation tasks. This masterplan forms the basis for requesting internal and external capacities and may wellinvolve planning resources over a period of several years. For example, imple-mentation might already be well underway for the most important risk typewhile measures for other risk types are still being planned.

Once it reaches a certain scale, the master plan should be transformed into adetailed project plan, which serves to reduce complexity and create transpar-ency with regard to the current bank�s implementation status. It is also impor-tant to set binding deadlines and responsibilities on the basis of this plan. A proj-ect management team should then monitor and control the performance of indi-vidual tasks. In this context, it is advisable to appoint a project manager to coor-dinate activities and monitor results. Project management should seek to preventany conflicts of interest between the organizational units involved in implemen-tation and to maintain a wholistic view of the project.

Communication

The need for and advantages of an ICAAP have to be clearly communicated tothe bank�s employees. The fundamental concept behind the ICAAP should notonly be communicated to the upper hierarchical levels of a bank, but to all rel-evant organizational units. Market units (e.g. sales, treasury, etc.) in particularmay be affected by the measures required in ICAAP introduction. A newlydesigned limit allocation system or any necessary adaptations to the bank�sorganizational structure are more likely to be supported by the employees if theyare informed about the need for these measures in a transparent and understand-able manner. Insufficient communication in implementation projects oftenresults in low levels of identification or even rejection and demotivation. Byapplying an appropriate communication policy and setting a good example,the bank�s management level can generate the employee acceptance necessaryfor successful implementation of the ICAAP.

Know-How and Resources

One major objective of the ICAAP is to foster the development of internal riskmanagement. For this reason, expertise in this area is a critical success factor inthe introduction of an ICAAP. The implementation and application of the ICAAP


ICAAP Guidelines 81

in ongoing control pose a considerable challenge for the employees involved.This means that the bank�s staff will increasingly become one of the most impor-tant success factors due to the changing environment and the resulting need foradaptation. In addition, it is also important for the bank to have the necessaryresources (employees, systems) at its disposal in the ICAAP implementationprocess. Resource requirements will depend on the bank�s size and risk profileas well as the difference between the current status and the defined require-ments.

Data Quality

Data quality (completeness, availability) is especially important because it deter-mines the reliability and accuracy of calculated results (e.g. risk indicators, cov-erage capital). The process of data quality assurance begins with accurate datacapture and goes as far as ensuring data availability in the ICAAP.

Suitable IT Systems

Especially for risk management, it is necessary and worthwhile to ensure timelyautomated evaluations due to the large data quantities involved and the some-times complex calculation algorithms used. In its ICAAP, the bank can rely onexisting risk management systems (risk measurement, limit monitoring) if theymeet the defined requirements. Potential expansions and new acquisitions in theIT field should be considered with due attention to the existing system land-scape. Here it is important to note that maintaining and updating the historicallygrown IT structures of many banks can require enormous resources. Moreover,the lack of uniform data pools can create considerable difficulties in evaluationsystems (e.g. inconsistent values).

Finally, the pressure to address strategic options regarding the design anddeployment of information technology is also compounded by the increasingstrategic significance of information technology as well as the existing problemsbanks are experiencing in this area.


82 ICAAP Guidelines

ReferencesAustrian Financial Market Authority. 2005. FMA Minimum Standards for the Credit Business and

other Transactions entailing Counterparty Risks (FMA-MS-K; April 13).

Austrian Financial Market Authority. 2005. FMA Minimum Standards for Internal Auditing (FMA-MS-

IR; February 18).

Austrian Financial Market Authority. 2003. FMA Minimum Standards for Granting and Managing

Foreign Currency Loans (FMA-MX-MS; October 16).

Austrian Financial Market Authority. 2003. FMA Minimum Standards for Granting and Managing

Loans with Repayment Vehicles (FMA-TT-MS; October 16).

Basel Committee on Banking Supervision. July 2004. Principles for the Management and Super-

vision of Interest Rate Risk.

Basel Committee on Banking Supervision. July 2004. Sound Practices for Managing Liquidity in

Banking Organisations.

Basel Committee on Banking Supervision. Februar 2003. Sound Practices for the Management

and Supervision of Operational Risk.

Committee of European Banking Supervisors. January 2006. Guidelines on the Application of the

Supervisory Review Process under Pillar 2 (CP 03 revised).

Committee of European Banking Supervisors. April 2004. Consultation Paper on High Level

Principles on Outsourcing.

De Raaij, G. and B. Raunig. 1998. A Comparison of Value at Risk Approaches and Their Implications for

Regulators. In: OeNB Focus on Austria 4.

Gallati, R. 2003. Risk Management and Capital Adequacy. New York: McGraw-Hill.

Geiger, H. 1999. Die Risikopolitik von Banken (Part I). In: Der Schweizer Treuha‹nder 6—7.

Geiger, H. 1999. Die Risikopolitik von Banken (Part II). In: Der Schweizer Treuha‹nder 8.

Oesterreichische Nationalbank and Austrian Financial Market Authority. 2004. New Quan-

titative Models of Banking Supervision.

Oesterreichische Nationalbank and Austrian Financial Market Authority. 2004. Guidelines on

Credit Risk: Credit Approval Process and Credit Risk Management.


Credit Risk: Rating Models and Validation.


Credit Risk: Best Practices in Risk Management for Securitized Products.


Credit Risk: Techniken der Kreditrisikominderung.


Operational Risk Management.

Oesterreichische Nationalbank. 1999. Guidelines on Market Risk (6 volumes).

Oesterreichische Nationalbank. 2004. Financial Stability Report 8.

Schierenbeck, H. 1999. Ertragsorientiertes Bankmanagement (Vol. 1): Grundlagen, Marktzinsmethode

und Rentabilita‹ts-Controlling (6th ed.). Wiesbaden: Gabler.

Schierenbeck, H. 1999. Ertragsorientiertes Bankmanagement (Vol. 2): Grundlagen, Risiko-Controlling

und Bilanzstruktur-Management, (6th ed.). Wiesbaden: Gabler.

Steiner, M. et al. 2002. Value-at-Risk-Scha‹tzung bei Optionen — Ein empirischer Vergleich praxisu‹blicher

Verfahren. In: Financial Markets and Portfolio Management 16 (1). 69—87.


ICAAP Guidelines 83

List of Abbreviations

AktG Austrian Stock Corporation Act (Aktiengesetz)AL-CO Asset and Liability CommitteeBWG Austrian Banking Act (Bankwesengesetz)CAD Capital Adequacy Directive (Directive 93/6/EEC on the capital adequacy

of investment firms and credit institutions)CEBS Committee of European Banking SupervisorsCRM Credit risk mitigationEAD Exposure at defaultEL Expected lossEU Directive 2000/12/EC Directive 2000/12/EC of the European Parliament and of the Council of

20 March 2000 relating to the taking up and pursuit of the business ofcredit institutions

HGB Austrian Commercial Code (Handelsgesetzbuch)GmbHG Austrian Limited Liability Company Act (Gesetz betreffend die Gesell-

schaften mit beschra‹nkter Haftung)IAS/IFRS International Accounting Standards / International Financial Reporting

StandardsIRB Approach Internal Ratings Based ApproachSME Small and medium-sized entityLGD Loss given defaultPD Probability of defaultPVBP Present value of a basis pointRAROC, RARORAC Risk-adjusted return on (risk-adjusted) capitalRC Risk coverRORAC Return on risk-adjusted capitalSRP Supervisory Review ProcessWAG Austrian Securities Supervision Act (Wertpapieraufsichtsgesetz)VaR Value at risk


84 ICAAP Guidelines

Lf Icaap Englisch Gesamt Tcm16-39190

Documents

eu directive 2000 12 ec

eu directive 93 6 eec

residual maturity statistics

interest margin contribution

set binding deadlines

light turns red

internationally active banks

foreign exchange risk